Looking for an example of PHP Using mySQL Update command during game runtime.

grfxman · Oct 4, 2010

Looking for an example of PHP Using mySQL Update command during game runtime. I been trying all night to get it working. I have Log-In and registration working fine. Thanks to some examples on this forum.

But their must be 9 different ways to write a php page that updates a mySQL data bases and I can't get any of them working. . I'm trying to use the players name and password to determine that the correct data is updated.

Thanxs

CorruptedHeart · Oct 4, 2010

If you save the user's ID (if you have a UserID coloumn) you could use that instead of name and password to keep track of the user and then update where UserID = $user , ect.

grfxman · Oct 5, 2010

The Main Reason I'm not using the user ID is there are going to be a multitude of tables by the time we are done. You have no guarantee that if 50 people register at the same time that all of their Table user Id's will match.
Also "UPDATE" and "Where" seem to be fairly common mySQL commands.

But I find it strange out of 17 Unity tutorials I found, Not a single one covers using the UPDATE command in your PHP file for your Unity game.

Last but not least I just switched to a Windows Server using IIS7 and there does seem to be multiple issues on Google about using form variables in mySQL commands in PHP.

grfxman · Oct 5, 2010

I finally muddled through it and figured out the proper Syntax. PHP is not very forgiving to horrible typist like myself.

Here is an example PHP function that updates an mySQL database:

Code (csharp):

function PutAbilitiez()

{

$gameName = $_POST[ 'gameName' ];

$playerPassword = $_POST[ 'playerPassword' ];

$sex = $_POST[ 'sex' ];

$bodyType = $_POST[ 'bodyType' ];

$skinType = $_POST[ 'skinType' ];

$firstName = $_POST[ 'firstName' ];

$lastName = $_POST[ 'lastName' ];

$age = $_POST[ 'age' ];

$playerEmail = $_POST[ 'playerEmail' ];

////////////////////////////////////////////////////////////////////////////

//

// ABILITY SCORES

//

////////////////////////////////////////////////////////////////////////////

$strength = $_POST[ 'strength' ];

$strengthMax = $_POST[ 'strengthMax' ];

$agility = $_POST[ 'agility' ];

$agilityMax = $_POST[ 'agilityMax' ];

$dexterity = $_POST[ 'dexterity' ];

$dexterityMax = $_POST[ 'dexterityMax' ];

$stamina = $_POST[ 'stamina' ];

$staminaMax = $_POST[ 'staminaMax' ];

$health = $_POST[ 'health' ];

$healthMax = $_POST[ 'healthMax' ];

$intelligence = $_POST[ 'intelligence' ];

$intelligenceMax = $_POST[ 'intelligenceMax' ];

$comprehension = $_POST[ 'comprehension' ];

$comprehensionMax = $_POST[ 'comprehensionMax' ];

$psyche = $_POST[ 'psyche' ];

$psycheMax = $_POST[ 'psycheMax' ];

$mana = $_POST[ 'mana' ];

$manaMax = $_POST[ 'manaMax' ];

$lastPosX = $_POST[ 'lastPosX' ];

$lastPosY = $_POST[ 'lastPosY' ];

$lastPosZ = $_POST[ 'lastPosZ' ];

////////////////////////////////////////////////

$anchorHead = $_POST[ 'anchorHead' ];

$anchorLeftHand = $_POST[ 'anchorLeftHand' ];

$anchorRightHand = $_POST[ 'anchorRightHand' ];

$anchorChest = $_POST[ 'anchorChest' ];

$anchorPelvis = $_POST[ 'anchorPelvis' ];

$anchorRightBicep = $_POST[ 'anchorRightBicep' ];

$anchorRightForeArm = $_POST[ 'anchorRightForeArm' ];

$anchorRightWrist = $_POST[ 'anchorRightWrist' ];

$anchorLeftBicep = $_POST[ 'anchorLeftBicep' ];

$anchorLeftForeArm = $_POST[ 'anchorLeftForeArm' ];

$anchorLeftWrist = $_POST[ 'anchorLeftWrist' ];

$anchorRightThigh = $_POST[ 'anchorRightThigh' ];

$anchorRightCalf = $_POST[ 'anchorRightCalf' ];

$anchorRightAnkle = $_POST[ 'anchorRightAnkle' ];

$anchorLeftThigh = $_POST[ 'anchorLeftThigh' ];

$anchorLeftCalf = $_POST[ 'anchorLeftCalf' ];

$anchorLeftAnkle = $_POST[ 'anchorLeftAnkle' ];

$defaultHair = $_POST[ 'defaultHair' ];

////////////////////////////////////////////////

$XPstrength = $_POST[ 'XPstrength' ];

$XPagility = $_POST[ 'XPagility' ];

$XPdexterity = $_POST[ 'XPdexterity' ];

$XPstamina = $_POST[ 'XPstamina' ];

$XPhealth = $_POST[ 'XPhealth' ];

$XPintelligence = $_POST[ 'XPintelligence' ];

$XPcomprehension = $_POST[ 'XPcomprehension' ];

$XPpsyche = $_POST[ 'XPpsyche' ];

$XPmana = $_POST[ 'XPmana' ];

////////////////////////////////////////////////

$hitPoints = $_POST[ 'hitPoints' ];

$hitPointsMax = $_POST[ 'hitPointsMax' ];

$basePhyAtk = $_POST[ 'basePhyAtk' ];

$basePhyDef = $_POST[ 'basePhyDef' ];

$baseShotAtk = $_POST[ 'baseShotAtk' ];

$baseMenAtk = $_POST[ 'baseMenAtk' ];

$baseMenDef = $_POST[ 'baseMenDef' ];

$speedMod = $_POST[ 'speedMod' ];

////////////////////////////////////////////////////////////////////////////

// The DATABASE NAME is fw

// $SQL = "SELECT * FROM players WHERE gameName = ' " . $gameName . " ' AND playerPassword = ' " . $playerPassword . " ';";

// mysql_query( $SQL ) or die( mysql_error() );

$query = "UPDATE players SET strength = '" . $strength . "', strengthMax = '" . $strengthMax . "',

agility = '" . $agility . "', agilityMax = '" . $agilityMax . "',

dexterity = '" . $dexterity . "', dexterityMax = '" . $dexterityMax . "',

stamina = '" . $stamina . "', staminaMax = '" . $staminaMax . "',

health = '" . $health . "', healthMax = '" . $healthMax . "',

intelligence = '" . $intelligence . "', intelligenceMax = '" . $intelligenceMax . "',

comprehension = '" . $comprehension . "', comprehensionMax = '" . $comprehensionMax . "',

psyche = '" . $psyche . "', psycheMax = '" . $psycheMax . "',

mana = '" . $mana . "', manaMax = '" . $manaMax . "',

lastPosX = '" . $lastPosX . "', lastPosY = '" . $lastPosY . "',

lastPosZ = '" . $lastPosZ . "', anchorHead = '" . $anchorHead . "',

anchorLeftHand = '" . $anchorLeftHand . "', anchorRightHand = '" . $anchorRightHand . "',

anchorChest = '" . $anchorChest . "', anchorPelvis = '" . $anchorPelvis . "',

anchorRightBicep = '" . $anchorRightBicep . "', anchorRightForeArm = '" . $anchorRightForeArm . "',

anchorRightWrist = '" . $anchorRightWrist . "', anchorLeftBicep = '" . $anchorLeftBicep . "',

anchorLeftForeArm = '" . $anchorLeftForeArm . "', anchorLeftWrist = '" . $anchorLeftWrist . "',

anchorRightThigh = '" . $anchorRightThigh . "', anchorRightCalf = '" . $anchorRightCalf . "',

anchorRightAnkle = '" . $anchorRightAnkle . "', anchorLeftThigh = '" . $anchorLeftThigh . "',

anchorLeftCalf = '" . $anchorLeftCalf . "', anchorLeftAnkle = '" . $anchorLeftAnkle . "',

defaultHair = '" . $defaultHair . "', XPstrength = '" . $XPstrength . "',

XPagility = '" . $XPagility . "', XPdexterity = '" . $XPdexterity . "',

XPstamina = '" . $XPstamina . "', XPhealth = '" . $XPhealth . "',

XPintelligence = '" . $XPintelligence . "', XPcomprehension = '" . $XPcomprehension . "',

XPpsyche = '" . $XPpsyche . "', XPmana = '" . $XPmana . "',

hitPoints = '" . $hitPoints . "', hitPointsMax = '" . $hitPointsMax . "',

basePhyAtk = '" . $basePhyAtk . "', basePhyDef = '" . $basePhyDef . "',

baseShotAtk = '" . $baseShotAtk . "', baseMenAtk = '" . $baseMenAtk . "',

baseMenDef = '" . $baseMenDef . "', speedMod = '" . $speedMod . "'

WHERE gameName = '" . $gameName . "' AND playerPassword = '" . $playerPassword . "'";

mysql_query( $query ) or die( mysql_error() );

}

absolutebreeze · Oct 5, 2010

The Main Reason I'm not using the user ID is there are going to be a multitude of tables by the time we are done. You have no guarantee that if 50 people register at the same time that all of their Table user Id's will match.
Click to expand...

If you use auto increment then they will not match.

Your PHP example is full of SQL injection holes. At the 'very least' you should be casting(cleansing) the variables into their correct expected datatypes.

grfxman · Oct 5, 2010

Actually I'm eager to learn everything I can do to prevent security leaks. Any chance you can show us AbsoluteBreeze?

absolutebreeze · Oct 5, 2010

Well your passing variables directly into your sql - without even checking that they are what they say they are.

If your variable is expecting to be a float then cast it as such....

Code (csharp):

$lastPosX = (float) $_POST[ 'lastPosX' ];

$lastPosY = (float) $_POST[ 'lastPosY' ];

$lastPosZ = (float) $_POST[ 'lastPosZ' ];

If its text such as

Code (csharp):

$gameName = $_POST[ 'gameName' ];

Then you should make sure that only alphabetic characters are used and no apotrophes etc.

A function like this is minimal (Its untested - and not perfect)

Code (csharp):

function Wash($str) {

$str = @trim(stripslashes($str));

return mysql_real_escape_string($str);

}

could be called like

Code (csharp):

$gameName = Wash($gameName);

Also using regular expressions to make sure things are formatted correctly (email addresses etc).

Its a whole subject and well worth spending a few days researching

grfxman · Oct 5, 2010

Thanxs that's an excellent start. The Log-In code I used is a modified one from this forum :

http://forum.unity3d.com/threads/24721-Tutorial-Unity-and-PHP-login-script-simple-but-useful

I think it had some security which I am planning to port to the other PHP files.

absolutebreeze · Oct 5, 2010

I think the main rule with php (or any web app) is not to trust anything and check everything is exactly what it says it is.

grfxman · Oct 5, 2010

Since you know a Lot more about this then I do, What do you think of the " anti_injection_login " function in the link I provided above? I was curious how secure it actually was. To be honest I'm not even sure all that it does. PHP is very new to me.

absolutebreeze · Oct 5, 2010

Its ok, and will do the job, I suspect there are much better scripts/functions online. Its definitely a good step forward for you though.

I'd also not use MD5 for passwords - and instead choose SHA1.

grfxman · Oct 5, 2010

Why SHA1 ??

absolutebreeze · Oct 5, 2010

Because md5 is insecure. If any one managed to expose your data (through sql injection) then all you're users passwords would be crackable by using the rainbow tables.

grfxman · Oct 5, 2010

Thank you you have saved me a lot of time.

grfxman · Oct 5, 2010

I can't seem to find Unity code for SHA1 do you have a link? Looking for Java script and C# if possible.

absolutebreeze · Oct 5, 2010

I've only used it for PHP apps (I develop finance apps in my day job), but this should do it....

http://www.kindblad.com/2009/03/24/how-to-generate-the-sha-1-hash-of-a-string-using-c/

So, you store the encrypted hash as a password in your database, then when a user typesa password into your game, the web player encrypts the newly typed password with the hash and then compares it against the stored hash in your db.

grfxman · Oct 5, 2010

Thanks Again.

Seems I might be out of luck as far as a java script version. Found a few online but they all give errors in Unity Editor.

absolutebreeze · Oct 5, 2010

Well I'm currently working on a leader board management system, I wasn't intending on having it store passwords - but if I get time I'll put some effort into a SHA1 routine (js) and give you a shout.

Probably wont be for a couple of weeks though.

grfxman · Oct 5, 2010

That would be great !!!! Because it would be near impossible for me to port it myself.

absolutebreeze · Oct 5, 2010

Well no promises - but I'll take a shot at it

grfxman · Oct 5, 2010

Since we are talking about basic security. One thing I haven't seen mentioned on the forum or wiki is this PHP command:

Code (csharp):

require ($_SERVER["DOCUMENT_ROOT"] . "mygame/config/db_config.php"); // get connection variables

You make a sub-directory called "config" and put all your connection and hash variables in a PHP file called

"db_config.php" .

Then you shut off all outside permissions on your Server for that sub-directory and file. I know it's basic, But all the examples have it on the Main PHP page.

absolutebreeze · Oct 5, 2010

Yeah that makes sense - that way your not copying your connection strings etc into each php script separately.... just do it once and include it.

Search Unity

Unity ID

Useful Searches

Looking for an example of PHP Using mySQL Update command during game runtime.