unity iap and verifying with php

I have just started on the IAP in my game and once the purchase is complete i am guessing some sort of string is sent back to the app and then that string can be sent to php and then somehow verify the transaction was success in php...

Does anyone know of any examples or tutorials where this is done at all, hopefully within the last year?

 

That's not strictly necessary, but you would be better advised to use an existing service like PlayFab, ChilliConnect or similar instead of writing your own. You can do basic receipt verification right in the app too:

https://docs.unity3d.com/Manual/UnityIAPValidatingReceipts.html

There is a Sample IAP project here, it would be easy to add receipt validation

https://forum.unity.com/threads/sample-iap-project.529555/

 

the reason i want php validation is the majority of the game is done on the php/mysql backend so when the purchase completes it then has to tell the server to add the special currency. If the server does not validate the receipt then it would be easy for hackers to give themself a lot of the special currency. I did find this code around the net not sure if it works or not, it's php code not c#

Thanks I will check out that sample project too.

Code (CSharp):

1. function ValidateGooglePlaySignature( $responseData, $signature, $publicKey, &$status, &$response )
2. {
3.     $responseData = trim( $responseData );
4.     $signature = trim( $signature );
5.     $response = json_decode( $responseData );
6.  
7.     // Create an RSA key compatible with openssl_verify from our Google Play sig
8.     $key =    "-----BEGIN PUBLIC KEY-----\n".
9.     chunk_split($publicKey, 64,"\n").
10.     '-----END PUBLIC KEY-----';
11.     $key = openssl_get_publickey( $key );
12.  
13.     // Pre-add signature to return array before we decode it
14.     $retArray = array( 'signature' => $signature );
15.  
16.     //Signature should be in binary format, but it comes as BASE64.
17.     $signature = base64_decode( $signature );
18.  
19.     //Verify the signature
20.     $result = openssl_verify( $responseData, $signature, $key, OPENSSL_ALGO_SHA1 );
21.  
22.     $status = ( 1 === $result ) ? 1 : 0;
23.     $retArray["status"] = $status;
24.     return $retArray;
25. }

 

So users are using real dollars to buy in-game virtual currency? Just checking. https://forums.developer.apple.com/thread/74165 So you know, such hacking does not happen on iOS. Google/Android, yes.

 

Oh great to see it doesn't happen on IOS, Unfortunately I am launching my project on google/android first. Yes users will be using real dollars to buy in-game virtual currency. so once they finish the transaction and google play returns the data saying successful it will need to then contact the server and send the data there to be verified and once verified add the virtual currency to the database.

 

May I ask why you are adding their virtual currency to your database?

 

the database stores all the game data, like level, stats, items, gold etc etc, so it makes sense for it to store the virtual currency as well..if it is only stored on the phone then it would be extremely easy for people to hack the game and give themselves a ton of virtual currency...

 

Got it, just make sure to use SSL. And I trust you are calling this from a web service, and not directly. Otherwise each user would require a separate db connection and would quickly saturate the server.

 

correct i would be sending the request to a php file which would then communicate with the server. I was just hoping to find someone with an example of verifying it on the php end, otherwise someone could use software and capture the url that is sent from unity and then send their own version adding as much virtual currency as they want.

 

I would strongly suggest not sending it directly to a php server as you suggest, but instead use a web service. This is how it is typically done, and is much more secure.

 

I am completely lost so i should not use unity iap but a web service for google play iap? do you have any examples at all thanks?

 

Sorry for the confusion. You are creating a service to verify IAP receipts (only) is my understanding. Many studios do this to enhance security in addition to the on-device receipt validation that I linked to previously. This (optional) service should be a web service. You don't handle ANY actual purchases or transactions on your servers, this is all handled by IAP for you. You don't need a server at all for IAP, please get the Sample IAP project working first. This should help you get started also https://docs.unity3d.com/Manual/UnityIAPGoogleConfiguration.html

 

ok thanks got it cheers.