Search Unity

  1. We are migrating the Unity Forums to Unity Discussions. On July 12, the Unity Forums will become read-only. On July 15, Unity Discussions will become read-only until July 18, when the new design and the migrated forum contents will go live. Read our full announcement for more information and let us know if you have any questions.

Tutorial: Unity and PHP login script - simple but useful

Discussion in 'Multiplayer' started by xandeck, Jun 10, 2009.

  1. xandeck

    xandeck

    Joined:
    Apr 2, 2009
    Posts:
    563
    Thanks mescalin. Making for C# is pretty easy too ;)

    @sidrakhalid,

    Sorry, I never got the email about your post. Let me know if you still need some help :)
     
    Last edited: Apr 5, 2014
  2. TournyMasterBot

    TournyMasterBot

    Joined:
    Sep 8, 2013
    Posts:
    13
    Editing this post because xandeck is linking to it instead of updating the primary post,

    Xandeck's regex will NOT protect against sql injection. It at best makes it only a half step harder.

    http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php

    PREPARED statements using PDO are the correct way to handle sql injection. Then you don't have any need to restrict user input, as it treats input as strictly text input, and prevents ALL possibility of sql injection when you use parameters correctly. This applies to pretty much every database, PARAMETERIZE user input. Never roll your own cleansing script.

    Again Key Takeaway:
    Use PARAMETERIZED queries when sending ANY user input to the database. Sanitation by stripping out control characters is 100% of the time an insecure way to handle input. Use the libraries that are explicitly designed to parameterize your query. Do not rely on mysql_real_escape_string, do not rely on addslashes, do not rely on htmlencode to sanitize data for your database. It's wrong. Period. It is more work to create this sanitation, and less secure than simply using prepared statements. Please, for your users, for your site, for your game, use parameterized queries. It's easy. It's less work than rolling your own sanitation. It generally makes your queries run better!

    For PHP: Use PDO (http://code.tutsplus.com/tutorials/why-you-should-be-using-phps-pdo-for-database-access--net-12059)
    For C#: Use SqlCommand Parameters (http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlcommand.parameters(v=vs.110).aspx)

    Please. Do it the right way. It's easy. It's safe. It's worth the five minutes to read the articles and use the examples correctly.

    Further reading, if you're interested in various types of attacks:
    Basic information about SQL injection: http://en.wikipedia.org/wiki/SQL_injection
    Basic information about SQL injection (From a stack overflow question): http://stackoverflow.com/questions/...gle-quotes-be-defeated-by-sql-injection-in-sq
    MSDN article about injection: http://msdn.microsoft.com/en-us/magazine/cc163917.aspx
    Multi Byte Character Attacks: http://security.stackexchange.com/questions/9908/multibyte-character-exploits-php-mysql

    This information is critically important. Learn it before you do ANYTHING with SQL queries that use user input.
     
    Last edited: Apr 11, 2014
    orb and elmar1028 like this.
  3. xandeck

    xandeck

    Joined:
    Apr 2, 2009
    Posts:
    563
    Hello Masa,

    Well, this is not the purpose of the tutorial, but I will make a link to the first post of what you said ;)
     
  4. PuSH

    PuSH

    Joined:
    May 3, 2014
    Posts:
    1
    I don't git it dose it all go in one script ???
     
  5. mescalin

    mescalin

    Joined:
    Dec 19, 2012
    Posts:
    67
    so all this worrying is making me a little paranoid, surely if you remove all the escape chars on the input and that is the ONLY input this is secure?


    so i understand the limits in the sense of my client will upload scores, can't stop someone hacking the client, however what i don't want is someone being able to break out into the php and then get access to other data, are we fairly confident of this?
     
  6. xandeck

    xandeck

    Joined:
    Apr 2, 2009
    Posts:
    563
    No, there is no real security in this tutorial. And I did not check what Masa said.
    Also, I will update the first entry saying that I will not and cannot answer any more questions related to security. This is not the point of the tutorial at all. Anyone who wants a secure connection, should study more PHP and security.
     
  7. mescalin

    mescalin

    Joined:
    Dec 19, 2012
    Posts:
    67
    fair enough looks like i have to, thanks anyway i do appreciate the code
     
  8. xandeck

    xandeck

    Joined:
    Apr 2, 2009
    Posts:
    563
    I am sure you can find good tutorials on internet about security, mescalin ;)
     
  9. mescalin

    mescalin

    Joined:
    Dec 19, 2012
    Posts:
    67
    i thought i may as well contribute my thoughts


    to the best of my reading xandecks code uses the most common methods (plus one extra function preg_replace), it filters the input to prevent injection hut he does not use the newer "MySQLi" driver added to php to address some of these concerns.

    I do not think this is vulnerable to injection though xandeck has done it the normal way as far as i can tell. However one thing is the password and username WILL be transmitted by plaintext, you can wireshark it. However that is the point of HTTPS, if you use HTTPS a hacker cannot get the details, i contemplated making my own security scheme but you realise actually most of the web does it that way.


    with that in mind i am fairly confident in this code, every dev has to make up their own mind as stated though, personally I see it as a great solution for some online functionality that works at about every wifi point i have been at :), no nat issue when you are pretending to be a website, good stuff
     
    rollandgrogg likes this.
  10. Chapi

    Chapi

    Joined:
    Aug 27, 2013
    Posts:
    13
    Danm php synax really is horrible :/

    Great tutorial thought, helped me quite a bit :D
     
    rollandgrogg likes this.
  11. rollandgrogg

    rollandgrogg

    Joined:
    Jan 28, 2015
    Posts:
    2
    Thanks for Discussion....
     
  12. aanimation

    aanimation

    Joined:
    Oct 23, 2012
    Posts:
    49
    bookmarked
     
  13. rollandgrogg

    rollandgrogg

    Joined:
    Jan 28, 2015
    Posts:
    2
    Hey guys...

    I am suggested this site ptutorial. This site is most useful for phptutorial. If you are looking PHP login script - simple
    but useful so visit this site. I am sure you Satisfied my suggetion.

    Thanks
    Rolland Grogg
     
  14. GXMark

    GXMark

    Joined:
    Oct 13, 2012
    Posts:
    516
    I just thought this simple example might be useful for someone wanting to post and get data back from a PHP page in unity.

    Code (CSharp):
    1. using UnityEngine;
    2. using System.Collections;
    3. using System;
    4.  
    5. public class TestScript : MonoBehaviour
    6. {
    7.     IEnumerator Start()
    8.     {
    9.         WWWForm wwwForm = new WWWForm ();
    10.         wwwForm.AddField ("ValueA", "22");
    11.         wwwForm.AddField ("ValueB", "44");
    12.  
    13.         // Create a download object
    14.         WWW download = new WWW ("http://localhost/My.php", wwwForm);
    15.  
    16.         // Wait until the download is done
    17.         yield return download;
    18.  
    19.         Debug.Log(download.error);
    20.         Debug.Log(download.text);
    21.  
    22.         string[] values = download.text.Split(new char[] {'\n'});
    23.        
    24.         foreach (string value in values)
    25.         {
    26.             if (String.IsNullOrEmpty(value.Trim()))
    27.             {
    28.                 continue;
    29.             }
    30.             string[] variable = value.Split (new char[] {'='});
    31.  
    32.             Debug.Log ("PHP data: " + variable[0].Trim() + " = " + variable[1].Trim());
    33.         }
    34.     }
    35.  
    36. }
    37.  
    Then the PHP page is

    Code (csharp):
    1.  
    2. <?php
    3. $ValueA = $_POST ["ValueA"];
    4. $ValueB = $_POST ["ValueB"];
    5.  
    6. $ResultA = $ValueA * $ValueB;
    7. $ResultB = $ValueA + $ValueB;
    8.  
    9. echo ("ResultA = $ResultA\n");
    10. echo ("ResultB = $ResultB\n");
    11. ?>
    12.  
    Please note that the echo is not a displaying a comment but actually assigns the results which are picked up in the unity code after the yield.
     
  15. kasulogamestudio

    kasulogamestudio

    Joined:
    Mar 22, 2012
    Posts:
    130
    hey GXMark, looks good =)
    We will try to do some more stuff here soon ;)
     
  16. EETechnology

    EETechnology

    Joined:
    Aug 15, 2015
    Posts:
    185
    Perfect way of doing this. ;)
     
  17. Picc_Excellence

    Picc_Excellence

    Joined:
    Sep 21, 2015
    Posts:
    2
    Anyone confused about php and mysql and how it links to JS and C# should check out this wiki. It lays all the example scripts out for you AND shows the difference between secure and unsecure php.
    http://wiki.unity3d.com/index.php?title=Server_Side_Highscores

    However, You should NEVER include your db credentials (USERNAME, PASSWORD, etc.) in he same file as the mysql, mysqli or PDO call. Always use include('credentials_file.php'); and place all credentials in a separate file. I can't stress this enough.
     
  18. SakisPoupnaras

    SakisPoupnaras

    Joined:
    Sep 1, 2016
    Posts:
    1
    can you give me an example how to check for duplicates in c# and push a message the server already has this failsafe but how do i know and where can i see it and show it on screen. I.E.: the name is John(witch is already in database) if i go and type it again after i hit next to apear a message where it says it is already taken choose another.
     
  19. MFKJ

    MFKJ

    Joined:
    May 13, 2015
    Posts:
    264
    Recv failure: Connection was reset. i am getting this error
     
  20. Nour_Anwar1992

    Nour_Anwar1992

    Joined:
    Oct 22, 2017
    Posts:
    2
    Can i use PHP code run on localhost XAMPP to be connected with Unity??
     
  21. kriteshanand

    kriteshanand

    Joined:
    Dec 22, 2017
    Posts:
    1
    Thanks a lot for sharing information on php and Java Script.
     
  22. crystalime

    crystalime

    Joined:
    Jul 28, 2018
    Posts:
    1
  23. mr_casco

    mr_casco

    Joined:
    Oct 26, 2018
    Posts:
    1
    Is this tutorial still working or is it completely obsolete? Because I see a lot of comments from 2010 and the post itself is from 2009, ten years has passed lol.
     
  24. runner78

    runner78

    Joined:
    Mar 14, 2015
    Posts:
    811
    The PHP part is completely obsolete and not working on newer PHP versions.