DB calls and Global Monitoring

hello! lately i have been reading many posts and topics about "security". simply, the extraction of sensitive data from your own sources seems definitely to much easier. now i'm terrified, literally disappointed.

at least, how could i "protect" any request from/to MySQL? is there any real risk that user(s) themselves can send (by manipulating) such links?

example: //website/score.php?username=JohnDoe&score=10

in this forum, manys suggest to use WWWForm() instead of "plain" String variables. is this a "real" solution or just an attempt to "mask" the process?

there, my second question. let's imagine a peer-to-peer system.
can you let users chat even if they are NOT connected to the same server?

example: //John and Jack are already playing, Tom is not.
how can Tom chat with John(or)Jack?
how can Jack know if Tom is online?

obviously many other questions can be related to this thought. i noticed this limited feature around Robocraft (indie game, developed by Freejam with Unity3D): friends can chat to each other only if-and-when they are in the menu.

shortly, is it possible to force a client to send and receive datas from two different sources? can i code and manage 2 sockets at the same time (MasterServer's excluded)? maybe, by sending/retrieving data from another external application? @_@

i referred to this answer, but it sounded alien to me:
http://answers.unity3d.com/questions/668527/multiple-server-instances-on-one-pc.html

my stupid idea is to save/store all the "offline" messages into the database (kinda buffer) and clean it when users relog. does it make any sense?

thanks ahead time for your dealing.
-arcady87

PS. please, excuse me if my questions sound silly. be patient. thanks.

 

Am answer only few of your questions, as I am currently tired so I prefer to only say what I know 100% and can think of atm lol.
First of all, using WWWForm let's you use POST in PHP requests. While they're not as visible as in-link, they are easy to make up. You can read about it briefly here.
If something is really sensitive, I suggest you either doing it only on authorative server side, or use some encryption. Also, you can send some password in post that only your client/server knows to make it little harder - however it's still fairly easy to bypass. There are other ways ofc, but those are the simplest that I can think of atm - and if anyone has a nice solution, I'd also like to hear.

If you want chat to be server-independent, you'd need a separate chat server. Normally it'd be rather straight-forward to do, but I'm not sure how could it be handled using Unity - I was thinking of using UNet for game stuff and Photon for chat. But I didn't ran into a need to do so yet.

About storing offline messages - that you can do. Also it can work with message history, even if temporal. Or simple use in-game mailing system - basically any MMO can be example of this.

 

@TehGM - first off, thank you very much for your dealing.

about "PHP Post requests" - indeed that's how i currently handle PHP calls.

about "offline messages" - your confirmation and approvation was totally unexpected.

about "global chat" - working on it thru TCP, maybe i can close some results.

 

Really nice... and inspiring I must admit. Now I might attempt to code my version later, too.

 

@TehGM - thank you very much.

honestly i am not very familiar with sockets' logic, but "logic" in general. i have made many researches to understand the basics of C# sockets, i saw the most complex scripts around.

on the Wiki you can look at a very complicated code that can handle everything from/to Unity3D via TCP. everyone use C# maybe beacuse of its hyper stability and flexibility to create and read custom DLL libraries. however i do not care, my necessities are definitely more specific.

 

.NET libraries are not really hard to read, either. I can suggest you app called Confuser. It works really nice for obfuscating .NET code.

 

let's imagine a malicious user that find a way to inject the code. they could intercept the encrypted data and send it back with no-legal data infi. a persistent sniffing process sounds paranoid but, personally speaking, i know some nerds whom might spend hours on this.

how do i face this problem?

waiting for answers and help. thank you.
-arcady87

 

I'm not sure about how to secure stuff well without dedicated server, and I was thinking of it too as for my current project design dedicated server seems pointless (making match PvP game with PvE raids). What I thought, besides anti-cheat system would be that only host sends match results data to database server. Like I want reward items at the end of my match, host would send all players' data and match results via PHP, server would calculate it and send rewards info back.
Also, if I implement registering via website, web server would hold all the data of what player unlocked. And host would check it when player tries to spawn etc, and kicks out if player tries to use something he hasn't unlocked yet.
Ofc, this doesn't remove risk completely, but surely gives cheaters chance to cheat only if they host by themselves.

I also thought of having confirmation auth token generated by webserver and sent to player as he logins. This would be then used to send along with request to check if the player that sends it is actually the player that sent it. But now, as I was writting this post, I realized that this will be useless if host has to hold the data. I am thinking of using 2 tokens, one for private use and one for host use, but it's just an initial idea and I'll have to consider it properly later.

Those are just my ideas for future, as I am just slowly developing it and barely started. But better that than nothing.

 

Arcady87, Actually i have a solution for your offline status etc.. I would agree that this is an inconvenience and unity should implement this into their engine but here is how the story goes..

Run a thread <--- so nice of unity to make this safe
The below code runs a small webclient and listens for incoming connections if theres a connection the server will write
Accept / Decline..

Code (CSharp):

1.     public void Listener()
2.     {
3.         HttpListener listener = new HttpListener();
4.  
5.         listener.Prefixes.Add("http://*:"+mysqlInformation.webPort+"/");
6.         listener.Start();
7.         Debug.Log("Listening...");
8.         int maxPlayers = int.Parse (sqlEntries.maxPlayers);
9.  
10.         while (hosting)
11.         {
12.             HttpListenerContext context = listener.GetContext ();
13.             HttpListenerRequest request = context.Request;
14.             HttpListenerResponse response = context.Response;
15.             string responseString ="";
16.  
17.             if(network_connections <  maxPlayers )
18.             {
19.                 network_connections++;
20.                 responseString = "Accept";
21.             }else{
22.                 responseString = "Decline";        
23.             }
24.  
25.             Debug.Log (responseString);
26.  
27.             byte[] buffer = System.Text.Encoding.UTF8.GetBytes (responseString);
28.  
29.             response.ContentLength64 = buffer.Length;
30.             System.IO.Stream output = response.OutputStream;
31.             output.Write (buffer, 0, buffer.Length);
32.             output.Close ();
33.         }
34.         listener.Stop ();
35.     }

This is pulled from Crossnet.. Basically what this does is allows the client to check if the server is allowing connections before actually trying to join / connect..

There must be away to check for the running listener, I accomplish this by listing the ips in a mysql database, then the clients can communicate this way. You can send messages just like a chat or even send images what ever your hearts desire.. Hope I was able to help out a bit with the offline / online chat method. (Might want to snag up Crossnet if you haven't yet strip the Upnp from it and use that also to forward ports etc).

Now this one will blow your mind.. Why wont unity protect the assets on the asset store from piracy some sort of security would be nice.

 

@LevonRavel - thank you very much for your help and time.

i will limit myself to compare your own method with mine - i finished the global chat just yesterday, now i'm working on a bunch of methods to encrypt variables and packets. in particular, since i understand Java more than C#, i started with something called ByteArrayOutputStream.

please, keep in mind i'm not a coder.

thanks ahead time for your understanding.
-arcady87

 

In .NET (C# for example), you have System.IO namespace, and it has Stream general purpose class, along with specialized inheriting classes such as FileStream or MemoryStream, as well as helper classes like StreamWriter or StreamReader.

 

@TehGM - thanks for your feedback!

as i wrote, i don't know C#, i am trying my best.

hugs
-arcady87

 

Looking good Ill translate your share to c# then get back to you with it.

 

@LevonRavel - thanks for your support.

by the way, that silly DLL is the top of the iceberg. i am realizing that you can bypass all Unity3D classes and import yours own pre-compiled. thanks this new approach, i am disclosing much more potential and flexibility. i would be curious to implement Ruby in Unity3D as well, it might be awesome and ridiculously fast in therms of development. anyway Javascript remains the most used code language.

 

hey guys! i got my own MasterServer done! there i share a trial of what server and client send to each other. attention: these data are decrypted already.

Code (csharp):

1.  

actually i'm working on the famous Lobby *thing*.

so, that's.

thank you all for your attention and help during the past days.
-arcady87

special thanks: @LevonRavel and @TehGM.