doubling on what @HarshadK said, I would like to take a few minutes being in a situation lower than your (unity) I have fiddled with unity and I am currently studying and have an idea for a game that I am mid proccess. I would like to include these points for those that are still more newb than me.
Please remember this is not a technical answer more of a metaphorical answer. so you can understand what could happen.
Any way back to the point. HarshadK is completly correct. your script allthough it is impossible to see from a web browser could contain a few extra precautions.
When a script is run from the game or browser it will run it in its entirety. So its very important to have a few check on your php / unity. For example at the moment the above script will rin any text the user will put into the server.
So if i was to type my username as “function (please get the password that doesnt belong to me)”
‘i know it wont work, its an example’
The server will then run what ever has been entered into it. So It will then be hacked. The best practice to avoid this is exception handling. So if there is 2 fields, USERNAME and PASSWORD you will need to make sure the form is only looking for a set rule. So a user name is 12 character long. is a good start.
We can do this with validation, here is a TRUE script. Not a metaphore. but can not be used. Because, its a metaphore.
validation->check(_POST,array(
‘username’ => array(
‘display’ => ‘Username’,
‘required’ => true,
‘min’ => $settings->min_un,
‘max’ => $settings->max_un,
‘unique’ => ‘users’,
),
‘fname’ => array(
‘display’ => ‘First Name’,
‘required’ => true,
‘min’ => 2,
‘max’ => 35,
),
‘lname’ => array(
‘display’ => ‘Last Name’,
‘required’ => true,
‘min’ => 2,
‘max’ => 35,
),
‘email’ => array(
‘display’ => ‘Email’,
‘required’ => true,
‘valid_email’ => true,
‘unique’ => ‘users’,
),
‘password’ => array(
‘display’ => ‘Password’,
‘required’ => true,
‘min’ => $settings->min_pw,
‘max’ => $settings->max_pw,
),
‘confirm’ => array(
‘display’ => ‘Confirm Password’,
‘required’ => true,
‘matches’ => ‘password’,
),
));
Can you see how it is checking each field to make sure what is entered is expected. It would not be hard using SQL injection (without these expeptions) to type the end of a text box code, enter some malicious code and then enter the begining and end of a non requiered text box.
Meaning theroeticaly. Without the correct exceptions, the user could put what ever he wants in what ever field of your database or delete what ever he wants. OR do anything. check this for an example…
username END TEXT BOX $sql SELECT * FROM dgfgdsg BEGIN TEXT BOX (non requeired) END TEXT BOX
Then script is finished, So your server will run everything and your fucked. Sorry for the drunken answer, But this must be known.
INJECTION ATTACKS are bad and give your advanced (non participating) users a good shot. Allthough it is hard to hack a site eve without these safety measure , some people are out there to get you!
if you need more help in logic or want to abuse me, please email jfarley@live.co.uk