php, sql security

My question is about this thread:

I made an android game with a highscore sql database. I heard that people can decompile the Unity build and see all of the source code right? That is why you should use a php function to connect to the database. That way nobody can see the username and pw of the database.

I did all of that, I have a server with a database and access the database with a php script, which is also on the server. Username and PW are quite safe, BUT

If someone really could see all of my source code, he would also see the link to the php file, which is something like that: url/function.php. He could then call all of the database functions with that URL, without knowing the username and password.

So a hacker would need 5 more minutes to hack my database then without the php stuff. Is there a way to make a php script secure against that? Here is the script:

require_once ‘login.php’;
connect();

playerid = _GET[‘id’];
level = _GET[‘level’];
score = _GET[‘score’];

$dropquery = “DELETE FROM score WHERE id = '”. $playerid . “’ AND level='”
. $level .“'”;
$delete = mysql_query($dropquery) or die ('ERROR: ’ . mysql.error());

$query = “INSERT INTO score (id, score, level) VALUES ('” . $playerid . “‘,’” . $score . “‘,’” . $level . “')”;
$result = mysql_query($query) or die ('ERROR: ’ . mysql.error());​

Hacking once you have a URL to a file is not as easy as you think but not impossible at all.

He could then call all of the database
functions with that URL, without
knowing the username and password.

When you access a URL to a file (in this case your url/function.php) the server executes that file and returns the output of that file which is the same which your Unity application is receiving and you are displaying it to the user in your application.

Just think, if you go to any URL say http://answers.unity3d.com/ it doesn’t spit out to you the server side script residing on that url or the information to the database but rather you get the front-end output script which is used by the browser to render your webpage.

The people have spent decades on improving security at server side otherwise any kid can call a URL and get the script that works behind the scene and hack into a database.

It takes a lot more that just a url to get access to a database stored on a server.

E.g. Say I have your URL now I have to try and find out any exploits that will yield me something as to what type of server you are running to are there any loopholes in the script that will allow me to get access to the database or any known bugs present in the server or any other environment in which your scripts and database resides.

Yes a poorly written PHP script on your part can make it easier for the hacker to access the database. But you can surely take some basic precautions like precautions against SQL injection, pre-processing any data that needs to be stored in the database. There are a lot of tutorials available on the Internet regarding the same.

Looking at your script provided above I would say it is really a poorly written script with no considerations to security at all. Few of the things are:

  1. Use of ‘mysql’ connection which is deprecated and you should really use mysqli or PDO for connecting to database.
  2. No filtering of data before adding it to the database. (Some of the filtering is already present for you in mysqli).
  3. No exception handling.

You can start with those and move forward to create a proper script that will surely make it difficult for a hacker to get into your scoreboard.

Just remember: There is no system in the world that can not be hacked. So it is upto you how much time you really want to invest in making a game leaderboard secure which can actually be invested in building a nice game for the users.

First I would recommend to use https. This requires a certificate for the server. The connection will be encrypted.

Then you have to decide if the server is public (no login required) or if you are using a login system. That would be more secure but it would require the players to create a user account. And you would have to set that up in your game and of course your server.

But above all I would not mind the decompilation of the unity app. You will encounter most security issues on your server. For example, your code is open to SQL injection (at least what I can see from your examples). See PHP Configuration - OWASP Cheat Sheet Series

Security is always an issue the moment you go online. If you are not sure and do not have the experience I recommend to cooperate with a proficient Web Developer.

doubling on what @HarshadK said, I would like to take a few minutes being in a situation lower than your (unity) I have fiddled with unity and I am currently studying and have an idea for a game that I am mid proccess. I would like to include these points for those that are still more newb than me.

Please remember this is not a technical answer more of a metaphorical answer. so you can understand what could happen.

Any way back to the point. HarshadK is completly correct. your script allthough it is impossible to see from a web browser could contain a few extra precautions.

When a script is run from the game or browser it will run it in its entirety. So its very important to have a few check on your php / unity. For example at the moment the above script will rin any text the user will put into the server.

So if i was to type my username as “function (please get the password that doesnt belong to me)”
‘i know it wont work, its an example’

The server will then run what ever has been entered into it. So It will then be hacked. The best practice to avoid this is exception handling. So if there is 2 fields, USERNAME and PASSWORD you will need to make sure the form is only looking for a set rule. So a user name is 12 character long. is a good start.

We can do this with validation, here is a TRUE script. Not a metaphore. but can not be used. Because, its a metaphore.

validation->check(_POST,array(
‘username’ => array(
‘display’ => ‘Username’,
‘required’ => true,
‘min’ => $settings->min_un,
‘max’ => $settings->max_un,
‘unique’ => ‘users’,
),
‘fname’ => array(
‘display’ => ‘First Name’,
‘required’ => true,
‘min’ => 2,
‘max’ => 35,
),
‘lname’ => array(
‘display’ => ‘Last Name’,
‘required’ => true,
‘min’ => 2,
‘max’ => 35,
),
‘email’ => array(
‘display’ => ‘Email’,
‘required’ => true,
‘valid_email’ => true,
‘unique’ => ‘users’,
),
‘password’ => array(
‘display’ => ‘Password’,
‘required’ => true,
‘min’ => $settings->min_pw,
‘max’ => $settings->max_pw,
),
‘confirm’ => array(
‘display’ => ‘Confirm Password’,
‘required’ => true,
‘matches’ => ‘password’,
),
));

Can you see how it is checking each field to make sure what is entered is expected. It would not be hard using SQL injection (without these expeptions) to type the end of a text box code, enter some malicious code and then enter the begining and end of a non requiered text box.

Meaning theroeticaly. Without the correct exceptions, the user could put what ever he wants in what ever field of your database or delete what ever he wants. OR do anything. check this for an example…

username END TEXT BOX $sql SELECT * FROM dgfgdsg BEGIN TEXT BOX (non requeired) END TEXT BOX

Then script is finished, So your server will run everything and your fucked. Sorry for the drunken answer, But this must be known.

INJECTION ATTACKS are bad and give your advanced (non participating) users a good shot. Allthough it is hard to hack a site eve without these safety measure , some people are out there to get you!

if you need more help in logic or want to abuse me, please email jfarley@live.co.uk