• Products
  • Solutions
  • Made with Unity
  • Learning
  • Support & Services
  • Community
  • Asset Store
  • Get Unity

UNITY ACCOUNT

You need a Unity Account to shop in the Online and Asset Stores, participate in the Unity Community and manage your license portfolio. Login Create account
  • Blog
  • Forums
  • Answers
  • Evangelists
  • User Groups
  • Beta Program
  • Advisory Panel

Navigation

  • Home
  • Products
  • Solutions
  • Made with Unity
  • Learning
  • Support & Services
  • Community
    • Blog
    • Forums
    • Answers
    • Evangelists
    • User Groups
    • Beta Program
    • Advisory Panel

Unity account

You need a Unity Account to shop in the Online and Asset Stores, participate in the Unity Community and manage your license portfolio. Login Create account

Language

  • Chinese
  • Spanish
  • Japanese
  • Korean
  • Portuguese
  • Ask a question
  • Spaces
    • Default
    • Help Room
    • META
    • Moderators
    • Topics
    • Questions
    • Users
    • Badges
  • Home /
This question was closed Jun 22, 2013 at 03:25 AM by AlucardJay for the following reason:

Duplicate Question

avatar image
0
Question by acriticalstrike · Jun 19, 2013 at 12:17 AM · securitysqldecompileobfuscationhack

Players can decompile my game and find out the login and password to my sql server.... WHAT DO I DO??

Players can decompile my game and find out the login and password to my sql server....

WHAT DO I DO??

I know I can obfuscate my code but I also know that someone can just de-obfuscate my code which leaves me back at square one....

Can I make my sql server secure somehow even though the game knows the password and login??

This is very frustrating... damned hackers! I do need some clarification if you please :-)

Comment
Add comment · Show 6
10 |3000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Memige · Jun 19, 2013 at 12:21 AM 0
Share

Your best shots are to obfuscate as you mentioned, hash the log in credentials, and preferably get an SSL connection. You will never stop all hacking, but those steps should make it annoying enough to hack it that most wont bother. Generally you want to avoid storing any sensitive data client-side. Database log in is definitely a tricky situation though.

avatar image whydoidoit · Jun 19, 2013 at 12:24 AM 0
Share

Can you not talk directly to the SQL but issue verifiable commands through a web interface or something?

avatar image acriticalstrike · Jun 19, 2013 at 12:52 AM 0
Share

I've never setup a webserver that is designed to just take "verifiable commands" and send it over to the real server, this seems like the obvious route to take I'm just not sure how to implement it yet... I figure I would have a server that sits there as the "gatekeeper" and the login info the client has would be linked to that, it would then parse queries from the clients and check to see if they are legal then it would pass data back and forth to the second "archive" server that would actually contain all of the other databases I keep track of, i've just never done that before so I do need some direction...

avatar image acriticalstrike · Jun 19, 2013 at 04:10 AM 0
Share

No one has an answer?

avatar image whydoidoit · Jun 19, 2013 at 08:35 AM 0
Share

Well a PHP server would be one way to go I guess or Ruby on Rails or something. We use a Java based server that logs in to a $$anonymous$$ySQL database and verifies for no buffer overruns, issues commands based on the demands of the application etc.

Forward encrypted hashed and salted passwords log us into our own server.

Show more comments

5 Replies

  • Sort: 
avatar image
3
Best Answer

Answer by Narv · Jun 19, 2013 at 03:49 PM

Use a web server gateway and send the data (and receive it) with either XML or JSON (JSON being probably the easiest to manipulate)

You can send it something like {method => "get", what => "email", where => "users", value => {username_variable} }

then in PHP parse it to an array then

sql_query("SELECT email FROM users WHERE username = {username_variable};"); // this isn't valid, depends on database but you get the idea

then echo out the results in a JSON format like {email => "{returned value}"}

then in your game just read the output of the site and then parse the JSON and do what you need with the email variable... this keeps some of your stuff safe "you can make alias for table names and fields, etc".. then wont see your SQL username and password.. and then in your PHP script, check to see if the SQL code is valid.. make sure to do some safe code like a MySQL_real_escape_string() etc so they doon't SQL inject hack.. turn off error handling and do try/catch so they don't see any raw PHP errors exposed and get data from that.

You can try and do some sort of funky public/private key thing... though they will have access to the public key and if they know enough to decompose your c# code, they will figure out when sending fake headers and strings to your site via a GET or POST HTTP Header, they will just send that along with it.

Though if you are doing this enough, you could then just use a TCP network connection and PHP's sockets and make sure it's a valid user connection from the client that is sending the HTTP headers.

Comment
Add comment · Show 1 · Share
10 |3000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image whydoidoit · Jun 19, 2013 at 04:11 PM 0
Share

Great answer

avatar image
2

Answer by Jamora · Jun 19, 2013 at 04:25 PM

Like whydoidoit said; you should never allow your clients to directly talk to a database. Not even if it's a local database; then you'd have an interface between the database and any game logic.

What you need is a master server that clients connect to (possibly using usernames and passwords) and have the server do any database access. End result is no sensitive data on the client's computer, apart from the master server address.

This way the clients never have to even care how you store data server-side as they just tell the server: "give me this data" or "store this data". If you ever need to change databases, you can just swap the database, change the database access code on the server and be done with it. Clients never need to know.

In case you don't have a master server, I've used Smartfox. There are other server software out there too, I hear Photon works well too.

Comment
Add comment · Show 1 · Share
10 |3000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image acriticalstrike · Jun 20, 2013 at 01:14 AM 0
Share

Thanks for the direction, is there a tutorial for setting up a gateway to connect to mySQL server?

avatar image
1

Answer by JacobK · Jun 19, 2013 at 04:12 PM

You should not be connecting to the SQL server from any code the client is running!

Your client needs to send the message to a server, which should be the only thing doing tbe SQL connection.

Comment
Add comment · Share
10 |3000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image
1

Answer by Ony · Jun 22, 2013 at 03:15 AM

I gave you an answer with full scripts here but now I see that you've asked this same question three times. You might want to either clarify what it is you're asking for or try to follow what people offer you. Otherwise it's just a waste of someone's time to try to help if you're not even going to try what they offer up.

Comment
Add comment · Share
10 |3000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image
0

Answer by ExpiredIndexCard · Jun 19, 2013 at 12:22 AM

Md5 hash your MD5 hased code. Then MD5 Hash it again. Then convert that to bytes. Then convert to a string. Then MD5 Hash it. TA DA

Comment
Add comment · Show 1 · Share
10 |3000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image acriticalstrike · Jun 19, 2013 at 12:50 AM 0
Share

LOL that's perfect my data structures professor would be proud

Welcome to Unity Answers

The best place to ask and answer questions about development with Unity.

To help users navigate the site we have posted a site navigation guide.

If you are a new user to Unity Answers, check out our FAQ for more information.

Make sure to check out our Knowledge Base for commonly asked Unity questions.

If you are a moderator, see our Moderator Guidelines page.

We are making improvements to UA, see the list of changes.



Follow this Question

Answers Answers and Comments

21 People are following this question.

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Related Questions

I need a solution to SQL, saving and loading data and security/antipiracy 4 Answers

Are there any services/tool to protect/secure my standalone game from hacks in unity3d pro version ? 0 Answers

Obscuring Data - General Tips & Suggestions? 0 Answers

How to store salt (secret key) invisible for decompilers 2 Answers

how can I establish a safe SQLite connection 0 Answers

  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Spaces
  • Default
  • Help Room
  • META
  • Moderators
  • Explore
  • Topics
  • Questions
  • Users
  • Badges