Best practises for communication with a web server/database

I'm having trouble understanding what the best methods for uploading files and inserting data into a web database from Unity or C# are.

At the moment I'm using the SSH.NET library to connect to my Ubuntu Server to upload images, it's working great and have had no problems with it. However, users on Stackoverflow have discouraged me from storing my ssh user/password in my code because it's not secure, their solution to that was using PHP scripts (as described here) to upload files.

Here's the problem though, knowing the location of those scripts, anyone would be able to upload anything they want to my server, so that's even less secure.

What should I do here? I know the basics of PHP but have absolutely no idea how to make it so that only I can upload things using my scripts.

 

What the people over at stackoverflow said is correct. You should never include SSH credentials in your game build. That said, your intuition is right -- the suggestion provided is not good either. It leaves an open path for anyone to upload whatever they want (assuming you haven't done some hardening on the server).

Your best bet is to setup a script (similar to the one suggested) that has some form of security on top of it. Unfortunately, "security" is a wide swath of things, so it can be overwhelming. You can go anywhere from adding a parameter on the URL to attempt to obfuscate, to full on user-level authentication/authorization. Obviously for your use-case, the latter is overkill. I would also argue that even over HTTPS, the former is not enough. If I were you, I would likely go with a fairly simple HMAC authorization header (see https://www.wolfe.id.au/2012/10/20/what-is-hmac-authentication-and-why-is-it-useful/). With a quick google, I was able to find several PHP examples of HMAC (same with .NET). You should also make sure you are doing whatever you can to harden the site from a server configuration standpoint (ex. only allow certain file types, file size limits, etc.).

 

Always use a web service to communicate to a database. Generally never connect directly to any db resource, it's not scalable.