Search Unity

  1. Megacity Metro Demo now available. Download now.
    Dismiss Notice
  2. Unity support for visionOS is now available. Learn more in our blog post.
    Dismiss Notice

Please Help! IF Statement Problem

Discussion in 'Scripting' started by SKGate, Oct 17, 2018.

  1. SKGate

    SKGate

    Joined:
    Nov 11, 2016
    Posts:
    19
    Hello, I'm banging my head against a wall with this problem. I have a IF Statement checking for the echo of a PHP file. I have Debug.Log checking what the echo and it's showing 999 like it is supposed to. Then IF it's 999 do some stuff, but it's skipping right to the ELSE statement for some reason. Code Below:

    Code (CSharp):
    1. using System.Collections;
    2. using System.Collections.Generic;
    3. using UnityEngine;
    4. using UnityEngine.UI;
    5. using UnityEngine.SceneManagement;
    6.  
    7. public class Registration : MonoBehaviour
    8. {
    9.     public InputField nameField;
    10.     public InputField passwordField;
    11.  
    12.     public Button submitButton;
    13.  
    14.     public void CallRegister()
    15.     {
    16.         StartCoroutine(Register());
    17.     }
    18.  
    19.     IEnumerator Register()
    20.     {
    21.         WWWForm form = new WWWForm();
    22.         form.AddField("name", nameField.text);
    23.         form.AddField("password", passwordField.text);
    24.         WWW www = new WWW("http://localhost/sqlconnect/register.php", form);
    25.         yield return www;
    26.         Debug.Log(www.text); // Checking the echo of PHP file, it's showing 999
    27.         if (www.text == "999")
    28.         {
    29.             Debug.Log("User Created Successfully.");
    30.             SceneManager.LoadScene(0);
    31.         }
    32.         else
    33.         {
    34.             Debug.Log("User Creation Failed.  Error #" + www.text); //It's showing 999
    35.         }
    36.     }
    37.  
    38.     public void VerifyInputs()
    39.     {
    40.         submitButton.interactable = (nameField.text.Length >= 5 && passwordField.text.Length >= 8);
    41.     }
    42.  
    43. }
    I don't understand what's going on.

    Please Help.

    Thanks
     
  2. StarManta

    StarManta

    Joined:
    Oct 23, 2006
    Posts:
    8,773
    I'd bet there's some unexpected whitespace. A newline, a space after "999", etc. Try if (www.text.Contains("999") ) instead.
     
    karl_jones likes this.
  3. SKGate

    SKGate

    Joined:
    Nov 11, 2016
    Posts:
    19
    Yea, that worked. Not sure about the whitespace tho. Here is the last few lines of the PHP file containing the echo.

    Code (CSharp):
    1.     mysqli_query($con, $insertuserquery) or die("4: Insert Player Query Failed"); //error code #4 - insert query failed
    2.    
    3.     echo "999";
    4.  
    5. ?>
     
  4. karl_jones

    karl_jones

    Unity Technologies

    Joined:
    May 5, 2015
    Posts:
    8,227
    Joe-Censored likes this.
  5. SKGate

    SKGate

    Joined:
    Nov 11, 2016
    Posts:
    19
  6. karl_jones

    karl_jones

    Unity Technologies

    Joined:
    May 5, 2015
    Posts:
    8,227
  7. StarManta

    StarManta

    Joined:
    Oct 23, 2006
    Posts:
    8,773
    Well 21 is certainly more than I expected, lol. But I've long since learned to not try and understand HTTP, just accept it :p
     
    karl_jones likes this.
  8. SKGate

    SKGate

    Joined:
    Nov 11, 2016
    Posts:
    19
    Yea same here. I just can't understand how it could be that much. I mean where does it start and end the Calculation of Length? Because from the start of echo "999"; to the end with the semicolon, there are only 11 spaces. Does it calculate whitespace before and after as well?
     
  9. karl_jones

    karl_jones

    Unity Technologies

    Joined:
    May 5, 2015
    Posts:
    8,227
  10. SKGate

    SKGate

    Joined:
    Nov 11, 2016
    Posts:
    19
    Hey karl_jones,

    I did what you said and I got: 39 39 39 d a d a d a d a d a d a d a d a d a,

    I looked up and the 39 39 39 = 999,
    But I'm sorry, I don't understand what the d a is in the chart.
     
  11. karl_jones

    karl_jones

    Unity Technologies

    Joined:
    May 5, 2015
    Posts:
    8,227
    I believe they are Line feed and carriage return.
    So either fix it so they never get sent or filter it out.
     
  12. SKGate

    SKGate

    Joined:
    Nov 11, 2016
    Posts:
    19
    I would like to fix it, but not sure how to accomplish this, would re-writing it fix the issue?
     
  13. karl_jones

    karl_jones

    Unity Technologies

    Joined:
    May 5, 2015
    Posts:
    8,227
    What's the PHP look like?
    It sounds like you are getting the 999 and then a bunch of empty lines.
     
  14. SKGate

    SKGate

    Joined:
    Nov 11, 2016
    Posts:
    19
    I'm sorry karl_jones for being such a bother, I'm very new to scripting and struggling to get my Database setup with Unity for my game. Here is the PHP:
    Code (CSharp):
    1. <?php
    2.  
    3.     $con = mysqli_connect('localhost', 'root', 'root', 'mygame');
    4.  
    5.  
    6.         //check that connection happened
    7.     if (mysqli_connect_errno())
    8.     {
    9.         echo "1: Connection Failed"; //error code #1 = connection failed
    10.         exit();      
    11.     }
    12.  
    13.     $username = $_POST["name"];
    14.     $password = $_POST["password"];
    15.  
    16.  
    17.     //check if name exists
    18.     $namecheckquery = "SELECT username FROM users WHERE username = '" . $username . "';";
    19.  
    20.  
    21.     $namecheck = mysqli_query($con, $namecheckquery) or die("2: Name Check Query Failed"); //error code #2 - name check query failed
    22.  
    23.  
    24.     if (mysqli_num_rows($namecheck) > 0)
    25.     {
    26.         echo "3: Name Already Exists"; //error code #3 - name exists cannot register
    27.         exit();
    28.     }
    29.  
    30.         //add user to the table
    31.     $salt = "\$5\$rounds=5000\$" . "steamedhams" . $username . "\$";
    32.  
    33.     $hash = crypt($password, $salt);
    34.  
    35.     $insertuserquery = "INSERT INTO users(username, hash, salt) VALUES ('" . $username . "','" . $hash . "','" . $salt . "');";
    36.  
    37.     mysqli_query($con, $insertuserquery) or die("4: Insert Player Query Failed"); //error code #4 - insert query failed
    38.  
    39.     echo "999";
    40.  
    41. ?>
    42.  
    43.  
    44.  
    45.  
    46.  
    47.  
    48.  
    49.  
    50.  
    51.  
    Oh, and while I have you, if I have a Dedicated Server with all PHP files stored on it along with the Database and I call the PHP files from Unity to access the Database, do you know if that presents Security issues such as SQL Injections or should I be ok?
     
    Last edited: Oct 18, 2018
  15. Kobaltic1

    Kobaltic1

    Joined:
    Jan 22, 2015
    Posts:
    183
    1. You should never directly access super globals. You need to sanitize and filter your input.
    change your $_POST to this:
    Code (CSharp):
    1. $username= filter_input(INPUT_POST, 'name', FILTER_SANITIZE_SPECIAL_CHARS);
    2.  
    3. $password= filter_input(INPUT_POST, 'password', FILTER_SANITIZE_SPECIAL_CHARS);
    2. Don't use your own salt. It isn't strong enough. Use password_hash() instead
    http://php.net/manual/en/function.password-hash.php

    3. Don't echo out your result. Use JSON. json_encode()
    https://www.w3schools.com/js/js_json_php.asp
    To decode:
    https://docs.unity3d.com/Manual/JSONSerialization.html

    EDIT: Always assume SQL injection. ALWAYS bind your parameters. I would even recommend switching from mysqli to PDO.
     
  16. SKGate

    SKGate

    Joined:
    Nov 11, 2016
    Posts:
    19
    Kobaltic1,
    This is the first time I've used PHP and been following a tutorial to get this far.
    I read to prevent SQLInjections to use prepared statements which I've been trying to convert the above PHP into. But I keep running into problems.

    Could you PLEASE show me how you would write the above PHP?
    If you did, I could then see the difference and understand how to do it for my future PHP scripts.
     
  17. In PHP if you have anything out of the <?php ... ?> that will be part of the served page.
    Those lines (42-51) will be your CR/LF characters...
     
  18. SKGate

    SKGate

    Joined:
    Nov 11, 2016
    Posts:
    19
    Thank you very much LurkingNinjaDev,
    That solved that problem.
    Didn't know PHP was that sensitive. At least I know for future PHP scripts.

    Now all I have to do is figure out these Prepared Statements and PDO.
     
  19. It's a bit more complex than that. PHP is a web-oriented language, its first and foremost role is to construct webpages. Also, the surrounding document is served by the web-server and the <?php ... ?> part is replaced the output your PHP script provides, so it's basically not the PHP's doing, it's the web server.
     
  20. SKGate

    SKGate

    Joined:
    Nov 11, 2016
    Posts:
    19
    Ah.. Thank you for the knowledge!
     
  21. Kobaltic1

    Kobaltic1

    Joined:
    Jan 22, 2015
    Posts:
    183
    change this
    Code (CSharp):
    1. $namecheckquery = "SELECT username FROM users WHERE username = '" . $username . "';";
    2.  
    3. $namecheck = mysqli_query($con, $namecheckquery) or die("2: Name Check Query Failed"); //error code #2 - name check query failed
    4.  
    5.  
    6.    if (mysqli_num_rows($namecheck) > 0)
    7.     {
    8.       echo "3: Name Already Exists"; //error code #3 - name exists cannot register
    9.        exit();
    10.    }
    11.  
    12.  
    To this (untested but should work.)
    Code (CSharp):
    1. $namecheckquery = $con->prepare("SELECT username FROM users WHERE username = ? ");
    2. $namecheckquery->bind_param("s", $username);
    3. $namecheckquery->execute();
    4. $namecheck = $namecheckquery->get_results();
    5. if ($namecheck >0)
    6. {
    7. echo "3: Name Already Exists"; //error code #3 - name exists cannot register
    8.        exit();
    9. }
     
  22. Joe-Censored

    Joe-Censored

    Joined:
    Mar 26, 2013
    Posts:
    11,847
    Basically .php files are just .html files with php code executed and any output replacing the <?php ?> block. Anything outside of those php blocks is handled just like an .html file would be handled. That's because php was originally designed to be something that can be sprinkled around an otherwise normal html file.
     
  23. SKGate

    SKGate

    Joined:
    Nov 11, 2016
    Posts:
    19
    Hey Kobaltic1,

    Thank you for your Response and taking time out your day to write the PHP for me.

    I replaced that part of the code like you said but I'm having an issue, I have a user in my Database and when I trying adding the same user, it's not showing the "Name Already Exists" in the If statement.
    So I don't know if it's actually working or not.

    I'll keep trying but I just don't know why I can't get this to work.

    @Joe-Censored
    Thank You for your explanation, I'll keep that in my moving forward.
    Seems as if I'm terrible with PHP, I having a hard time understanding the Language. I'm new to C# and have been teaching myself, throwing PHP is a bit of an overload. I just need to get a Basic Secure PHP files for sending data to my mysql database so I can proceed with my game.
     
  24. SKGate

    SKGate

    Joined:
    Nov 11, 2016
    Posts:
    19
    OK,
    After hours of trying many things, the only way I could get it to work is like this:
    Code (CSharp):
    1.     $namecheckquery = $conn->prepare("SELECT username FROM users WHERE username = ?");
    2.     $namecheckquery->execute(array($username));
    3.  
    4.     if($namecheckquery->rowCount() >0)
    5.     {
    6.     echo "3: Name Already Exists"; //error code #3 - name exists cannot register
    7.         exit();
    8.     }
    Would this still be considered Secure? Without the $namecheckquery->bind_param("s", $username); and using $namecheckquery->execute(array($username)); instead?
     
  25. SKGate

    SKGate

    Joined:
    Nov 11, 2016
    Posts:
    19
    @Kobaltic1 or anyone experienced with PHP and Databases,

    This is the new PHP file for my registration, it works but I would like someone who knows about this to verify if there are integrity issues that I should be aware of. I just want to make I'm not open to SQL Injections or any intrusions as much as possible.
    Code (CSharp):
    1. <?php
    2. $servername = "localhost";
    3. $username = "root";
    4. $password = "root";
    5. $dbname = "mydb";
    6.  
    7.  
    8.     $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
    9.     // set the PDO error mode to exception
    10.     $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    11.     //echo "Connected successfully";
    12.    
    13.     $usernameinput = filter_input(INPUT_POST, 'name', FILTER_SANITIZE_SPECIAL_CHARS);
    14.     $passwordinput = filter_input(INPUT_POST, 'password', FILTER_SANITIZE_SPECIAL_CHARS);
    15.    
    16.     $namecheckquery = $conn->prepare("SELECT username FROM users WHERE username = ?");
    17.     $namecheckquery->execute(array($usernameinput));
    18.  
    19.     if($namecheckquery->rowCount() >0)
    20.     {
    21.     echo "3: Name Already Exists"; //error code #3 - name exists cannot register
    22.         exit();
    23.     }  
    24.    
    25.     $hash = password_hash($passwordinput, PASSWORD_DEFAULT);
    26.     $insertuserquery = $conn->prepare("INSERT INTO users(username, hash) VALUES (:username, :hash)");
    27.     $insertuserquery->bindParam(':username', $usernameinput);
    28.     $insertuserquery->bindParam(':hash', $hash);
    29.     $insertuserquery->execute() or die("4: Insert Player Query Failed"); //error code #4 - insert query failed
    30.    
    31.     echo "0";
    32.    
    33. ?>
    If this is good to go then I get to move on to the login script

    Thank You all for all the help
     
  26. Kobaltic1

    Kobaltic1

    Joined:
    Jan 22, 2015
    Posts:
    183
    That is the way I do PDO. I wasn't sure if mysqli had the same feature.
     
  27. SKGate

    SKGate

    Joined:
    Nov 11, 2016
    Posts:
    19
    @Kobaltic1,
    Ok, so it sounds like you gave me the thumbs up, I wasn't sure if $namecheckquery->execute(array($username)); was open to any SQL Injections or not.

    Also, @Kobaltic1 or anyone, do I have to issue a command to close the connection?
     
  28. Kobaltic1

    Kobaltic1

    Joined:
    Jan 22, 2015
    Posts:
    183
    yes and yes

    Code (CSharp):
    1. mysqli_close($con);