Hi, I’m setting up my game (webplayer) to send out WWW requests to a few php files that will update a players kill score, death score and overall gained points in our database. Problem is that communicating to a php file to update the database is a huge security hole. A person could just open up firebug and see these requests being send from unity and perform them on their own outside of the webplayer.
I understand that an SSL/https is also recommended, but: A) seem like an overkill for our simple needs. B) I fail to see how this would prevent someone from still being able to study the HTTPRequests and again perform them on their own.
So what is a person to do if they can’t talk directly to a database from unity (webplayer), yet any request to a server side file under WWW would expose to the client how sensitive data is requested to be updated from the database.
Please any suggestions or advice would be greatly appreciated.
Thanks.
HTTPS gives a secure, SSL encrypted channel. So the request itself is not readable at all (at least within meaningfull time), SSL encryption is still considered strong enough to prevent any meaningfull attempt to break it.
Also, you send statistics, nothing game breaking.
If you want it more secure do what EA etc do: don’t give the server to the players at all but run them in an environment controlled by you and let only the server interact with the webservice. Something the playes have no access too does not allow them to trick it at all. (its not like you don’t want your players to report kills anyway, thats the servers job)
Ok, good to know about the HTTPS.
I compleatly agree with you that this should not be something the player should have no access to, so there has got to be something I’m not understanding. I mean at some point you are going to have a need to store information into a database, so how does one achieve this in a controlled environment with unity?
I’ve been reading that standalone exe builds can talk directly to databases such as MySQL, but you can’t with the webplayer builds. (On a side note, this seems very counter intuative beings that most webplayer builds would have higher odds of requiring direct communication to a database from unity.)
Any ideas?
Even if you could talk to MySQL directly you don’t want it in anything you hand out to players because that means wildcard database access, which is very insecure.
Question is what you do in detail.
Normally you would likely host the game server nodes (headless clients running on your own machines) with players only connecting to it. BattleField Bad Company 2 works like this, with enduser having no server executable to even toy with for example. only configuration possibility on a web backend.
in such an environment you could use mysql or www (with and without https) as you can trust your own servers 
Well, in detail we have a dedicated windows server 2003 box that we run a standalone exe version of our game on. This results in a hosted room to showup out on our webplayers the clients only have access to.
Clients can then connect to this headless server and play, OR we allow them can create their own game for others to connect to in where they are both player and host.
So obviously, allowing direct communication to our database would be fine in our headless version cause it lives on our server only. But for people who would like to host their own games, then you bring up a good point that even if there was a way, it would results in wildcard access.
So, I guess to meet the best of both worlds a WWW request is the only way to go… I guess HTTPS is starting to sound better and better
Yes if you need to feed both, then WWW → Secure Backend (PHP, ASP, whatever you want) ↔ Database is then the way to go.
And yupp HTTPS is definitely favorable 
(then you only have to secure the client to not just mess the data up in there by definition.
the main problem is that nothing prevents them to fake data. joining their game with 4 fake clients and firing them to hell to get 100% headshot rate and whatever but that falls under the category of cheat prevention
Dang it dreamora, why do you have to bring yet another level of security flaw to mind!! Thanks for all your help, greatly appreciated.