• Products
  • Solutions
  • Made with Unity
  • Learning
  • Support & Services
  • Community
  • Asset Store
  • Get Unity

UNITY ACCOUNT

You need a Unity Account to shop in the Online and Asset Stores, participate in the Unity Community and manage your license portfolio. Login Create account
  • Blog
  • Forums
  • Answers
  • Evangelists
  • User Groups
  • Beta Program
  • Advisory Panel

Navigation

  • Home
  • Products
  • Solutions
  • Made with Unity
  • Learning
  • Support & Services
  • Community
    • Blog
    • Forums
    • Answers
    • Evangelists
    • User Groups
    • Beta Program
    • Advisory Panel

Unity account

You need a Unity Account to shop in the Online and Asset Stores, participate in the Unity Community and manage your license portfolio. Login Create account

Language

  • Chinese
  • Spanish
  • Japanese
  • Korean
  • Portuguese
  • Ask a question
  • Spaces
    • Default
    • Help Room
    • META
    • Moderators
    • Topics
    • Questions
    • Users
    • Badges
  • Home /
avatar image
1
Question by Sytto · Sep 02, 2012 at 05:41 PM · wwwscorephp

How to send securely scores to PHP backend

Hello everyone.

I have a little game that sends scores to a PHP backend. I have been reading a lot of forum threads and examples that just make some hash of the score with basic data and send it to the php backend

e.g MD5(user+score+secretkey)

and then send this usign the WWW class

this is kinda useful if you don't wanna tampered data, but I encountered a problem on these examples. It's stupidly easy to get the generated URL/Hash from unity and run it into your browser as many times as you want.

E.G. unity generates an URL like this one : http://myweb.com/score.php?username=player1&points=14350&hash=7215ee9c7d9dc229d2921a40e899ec5f

with some program you can get this URL and paste it in your browser as many times as you want, and the PHP backend will always add the score to the database because the hash is correct. My question is how to securely perform these actions? I'm noob at security but I have good php skills so I don't wanna a piece of code, just the correct way to do this, thanks everyone and sorry for my bad English :P

Comment
Add comment
10 |3000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

2 Replies

· Add your reply
  • Sort: 
avatar image
0
Best Answer

Answer by Sisso · Sep 03, 2012 at 02:59 PM

You could use a aes encryption. It uses a secret key to encrypt/decrypt your data. The only way to hack is decompiling your code and getting the secretKey.

http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

Here you could find some clues: http://answers.unity3d.com/questions/193286/Aes-encryption.html

Comment
Add comment · Share
10 |3000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image
0

Answer by kromenak · Sep 03, 2012 at 09:12 AM

There may be more secure methods around (and I'm not an expert at cryptography or anything), but an easy method of hiding your hash would be to use an HTTP POST instead of GET. You can do this in Unity using the WWWForm class to create a Key/Value dictionary of post data. Then, you can use PHP's $_POST variable instead of $_GET.

For additional security, you can use an SSL connection (via HTTPS), but I seem to remember having issues using Unity over HTTPS...would require some experimenting.

There are some additional security methods that might be helpful - you could get into doing like some public/private key RSA stuff, but if your main concern is that people can see the hash in the URL, POST should fix that for you.

Comment
Add comment · Show 2 · Share
10 |3000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Sytto · Sep 03, 2012 at 02:43 PM 0
Share

isn't the POST data as easy to get as the GET data? I think any person with a bit of knowledge could get the data of a POST request as easy as the data of a GET request. Could you explain that RSA stuff? I'm a bit lost, thanks!

avatar image kromenak · Sep 04, 2012 at 03:36 AM 0
Share

POST is as easy to get as GET in the sense that it isn't encrypted or anything. It is a little harder because you don't flaunt the details in your URL for anyone to see ;). If you use SSL, POST becomes a pretty viable option.

I'm not too familiar with RSA myself, but it mainly involves having public/private keys where the public key is used to encrypt messages and then only the private key can decrypt them. I haven't actually implemented it myself; the AES method suggested by Sisso might be more appropriate.

Your answer

Hint: You can notify a user about this post by typing @username

Up to 2 attachments (including images) can be used with a maximum of 524.3 kB each and 1.0 MB total.

Welcome to Unity Answers

If you’re new to Unity Answers, please check our User Guide to help you navigate through our website and refer to our FAQ for more information.

Before posting, make sure to check out our Knowledge Base for commonly asked Unity questions.

Check our Moderator Guidelines if you’re a new moderator and want to work together in an effort to improve Unity Answers and support our users.

Follow this Question

Answers Answers and Comments

9 People are following this question.

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Related Questions

Disable execute/write permissions on PHP files while maintaining the ability to execute them from Unity? 1 Answer

Connecting Unity game to wordpress..... ? (need help :D ) 0 Answers

www request ienumerator function doesn't work 0 Answers

PHP POST through $_REQUEST with WEBBUILD 1 Answer

Unity C# I need my PHP page to Run (on the Server) Without me Getting or Sending Info 0 Answers


Enterprise
Social Q&A

Social
Subscribe on YouTube social-youtube Follow on LinkedIn social-linkedin Follow on Twitter social-twitter Follow on Facebook social-facebook Follow on Instagram social-instagram

Footer

  • Purchase
    • Products
    • Subscription
    • Asset Store
    • Unity Gear
    • Resellers
  • Education
    • Students
    • Educators
    • Certification
    • Learn
    • Center of Excellence
  • Download
    • Unity
    • Beta Program
  • Unity Labs
    • Labs
    • Publications
  • Resources
    • Learn platform
    • Community
    • Documentation
    • Unity QA
    • FAQ
    • Services Status
    • Connect
  • About Unity
    • About Us
    • Blog
    • Events
    • Careers
    • Contact
    • Press
    • Partners
    • Affiliates
    • Security
Copyright © 2020 Unity Technologies
  • Legal
  • Privacy Policy
  • Cookies
  • Do Not Sell My Personal Information
  • Cookies Settings
"Unity", Unity logos, and other Unity trademarks are trademarks or registered trademarks of Unity Technologies or its affiliates in the U.S. and elsewhere (more info here). Other names or brands are trademarks of their respective owners.
  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Spaces
  • Default
  • Help Room
  • META
  • Moderators
  • Explore
  • Topics
  • Questions
  • Users
  • Badges