MMORPG style login and registration system?

That's right, but OP's code is unsafe.

Code (CSharp):

1. string myselectQuery = "SELECT * FROM table WHERE password = '" + pass + "' AND email LIKE '" + email + "'";

It clearly asks for email and password as well as directly communicates with .php script to send QUERIES to SQL database, which exposes sensitive info.

I am not sure if you've seen this, but I am throwing some links I found resourceful:

http://wiki.unity3d.com/index.php?title=Server_Side_Highscores
http://forum.unity3d.com/threads/tutorial-unity-and-php-login-script-simple-but-useful.24721/

 

<?PHP
//This is the current php for creating an account. Do not edit unless needed.
$user = $_REQUEST["user"];
$pass = $_REQUEST["pass"];
$conn = mysqli_connect("fdb3.awardspace.net","???","???");
mysqli_select_db($conn,"???");
$check = mysqli_query($conn,"SELECT * FROM Players WHERE user = '".$user."");
$numrows = mysqli_num_rows($check);
if($numrows == 0){
$pass = md5($pass);
$ins = mysqli_query($conn,"INSERT INTO Players (user,pass) VALUES ('".$user."','".$pass."');");
if($ins);
die("Created account");
}
else
{
die("user aleady exists");
}
?>


The php seems to work somewhat but for some reason allows people to create accounts with the same name. How can I fix that?

 

This is my first game to include a login system, I can learn how to make it more secure in the future. But for now I want to start simple. Can you help me with the code above?

 

<?PHP
$user = $_REQUEST["user"];
$pass = $_REQUEST["pass"];
$conn = mysqli_connect("fdb3.awardspace.net","???","???");
if(!$conn){
die("Could not connect to db");
}
else{
mysqli_select_db($conn,"???");
$check = mysqli_query($conn,"SELECT * FROM Players Where 'user' = '".$user."'");
if($check)
echo "Ok ";
$numrows = mysqli_num_rows($check);
if($numrows == 0){
die ("username does not exist ");
}
}


here is another error I am facing, even if the username does it exist in the database, the php treats it as if it does not. Above is the code for the login php.

 

The login and create account phps are now functional, but with flaws. Whenever I create an account, they appear in the database blank, even if I assigned them info such as their username and password.

<?PHP
//This is the current php for creating an account. Do not edit unless needed.
$user = $_POST['user'];
$pass = $_POST["pass"];
$conn = mysqli_connect("fdb3.awardspace.net","????","????");
mysqli_select_db($conn,"????");
$check = mysqli_query($conn,"SELECT * FROM Players WHERE `user` = '".$user."");
$numrows = mysqli_num_rows($check);
if($numrows == 0){
$ins = mysqli_query($conn,"INSERT INTO Players (user,pass) VALUES (".$user.",".$pass.");");
if($ins);
die("Created account");
}
else
{
die("user aleady exists");
}
?>


is there something in this code that could be causing this? Oh and by the way, the spots with "????" mark areas with stuff such as passwords that I can't give you. So don't ask what the question marks mean.

 

I am using "WWWForms" and "form.Addfield" to send player info to the database. Is there a way to get the database to send info to the clients? such as the items in their inventory?

 

You lack the knowledge and ability to learn on your own how to do this in a minimally functioning let alone secure manner.

I suggest you take a look at http://playfab.com they take care of all the backend for you and provide an easy to use Unity SDK.

 

Thank you. But I don't want to abandon unity.

 

Playfab is a plugin for Unity

 

PlayFab does not replace Unity. PlayFab is a BaaS (Backend as a Service) tailored for video games.

Other examples include Parse, GameSparks, Azure. I suggest using PlayFab as it will probably meet your needs and it is the easiest to use.

https://playfab.com/unity/

 

Thanks

 

Thank you all!! The login screen and create account screen are now working! So are the php files and the database!
I have also upgraded the database to allow the storage of more than just the username and password, but now It can store the amount of gold the player has, and will soon store all the game's data! Thank you! With the login and stats system out of the way, I can now move on to the other things in my game. I can now finally begin implementing the combat system! Thank you so much!

 

Can I just run a headless Unity application as my back end server, without PHP layer? I could "attach" it to database. Of course it is not a pretty or elegant solution, but it will work just fine, right? Would I get a bad network performance, and/or database querying compared to PHP server?

Of course I hope that millions of people will play my game, but for a start I just need it to handle a few thousands.

 

It can be easily hacked. hackers can make 100000 accounts if they find your url address in the script

 

I would expect this to perform better than PHP. People use PHP because it is easy, not because it is particularly good.

But @mahdiii has a reasonable point: think about security. You don't want bad actors messing up your game just because you've built a clean, clear API. Encryption is a deep topic, but something you want to at least be thinking about from the beginning.

 

There is a good article on how can sensitive info be easily secured: https://www.binpress.com/tutorial/using-php-with-mysql-the-right-way/17

 

The PHP isn't a server (not in the sense that you're thinking). The PHP links the game to the database where information is stored. You wouldn't store information in a headless Unity build.

Well, first, just making 100000 accounts isn't really hacking. And as has been said there's a very easy way to secure against MySQL injection.

 

Absolutely it is so bad if your game lets players create a lot of accounts. It can cause your database encounters many problems.
it was not relevant to SQL injection.

 

Is it possible to MySQL + Unet?

 

Unet is basically a server hosted by Unity Technologies, which obviously has some sort of database solution (could be MySQL, PostrgreSQL or anything else).

However, I am not sure if we're allowed to host our own databases on their servers. In the worst case scenario, you'll have to host user database separately from multiplayer server (UNET).

 

This makes absolutely no sense. Just by knowing the URL of the database's server, will not allow the "hacker" to make unlimited accounts. You as the developer are responsible for making checks on the backend to prevent this.

 

I said the above code lets, not developers!!! surely you can prevent .
I only said the above code only sends name pass without considering anything so hackers can send many name pass pair. it is so clear

 

You must have misread me. I was talking about running Unity build with a PHP layer, not server. I don't know PHP at all, but i assume that in this case it's just a script in that case that handles database requests and maybe login system, the back end.

Since Unity can work with databases and any incoming connections directly, I assumed that PHP won't be necessary.

 

Well the way I explained my solution in this thread was using WWWForm(s). The PHP is handled on the web (database) side, not in Unity.

 

Why use PHP at all for your Login? Create a Console Application to act as a Login Server... Have it connect to the Database. Send username and password over the network to the login server and let the login server check the info against the database. Then if correct create a session and send a login successful message back to the client with the session info which will allow it to connect to your game server.

 

Nope, but the interpreter is running on a server. Especially when you have high login traffic, running the interpreter for every request isn't performant at all.

^ this

 

Love this thread. Did he ever get his phps?

 

We're really reviving this train wreck of a thread?

 

Still reading this post in 2022. Wondering if the project has been successful. Normally when everything was done, people tend not to come back to the forum.
-saying to myself. Thanks all. Enjoy reading this thread.