Search Unity

UnityWebRequest Post Issues

Discussion in 'Scripting' started by Supermook, Nov 25, 2020.

  1. Supermook

    Supermook

    Joined:
    Nov 25, 2019
    Posts:
    6
    Hi Guys,

    I am having a really hard time getting my UnityWebRequest to post information to my standard PHP MySQL backend. I had it working with .Get but wanted to introduce a difficulty variable so I can pull the relevant difficulty of questions without having to pull the whole table!

    Unity is saying there is an error in my SQL syntax, but when I run the query on the phpMyAdmin, the query runs fine. Unity does provide a warning saying Warning: Non-numeric value. I have a feeling that I am misunderstanding the way to post to the back end in Unity, but I'm not sure, and now I'm banging my head against the wall haha! Below is my code. Can anyone help?

    Request Code:
    Code (CSharp):
    1.     IEnumerator BuildQuestions()
    2.     {
    3.         string difficultyText = difficulty.ToString();
    4.         WWWForm form = new WWWForm();
    5.         form.AddField("difficulty", difficultyText);
    6.         UnityWebRequest request = UnityWebRequest.Post("http://localhost/projectLearning/pullMathsQuestions.php", form);
    7.         yield return request.SendWebRequest();
    8.         if (request.isNetworkError || request.isHttpError)
    9.         {
    10.             Debug.Log("Connection Failed");
    11.         }
    12.         else
    13.         {
    14.             questions = JsonConvert.DeserializeObject<QuestionModel>(request.downloadHandler.text);
    15.             print(questions.status.requestObject);
    16.             CreateQuestionsList(questions);
    17.         }
    18.     }
    Backend PHP Code:
    Code (CSharp):
    1. <?php
    2.  
    3.     ini_set('display_errors', 'On');
    4.     error_reporting(E_ALL);
    5.  
    6.     if (mysqli_connect_errno()) {
    7.         echo "1";
    8.         exit;
    9.     }
    10.  
    11.     $query = "SELECT * FROM level1 WHERE difficulty=" + $_REQUEST['difficulty'] + " ORDER BY RAND() LIMIT 12";
    12.  
    13.     $result = $conn->query($query);
    14.  
    15.     if(!$result){
    16.  
    17.         $output['status']['code'] = "400";
    18.         $output['status']['name'] = "executed";
    19.         $output['status']['requestObject'] = $_REQUEST['difficulty'];
    20.         $output['status']['description'] = $conn -> error;  
    21.         $output['data'] = [];
    22.  
    23.         mysqli_close($conn);
    24.  
    25.         echo json_encode($output);
    26.  
    27.         exit;
    28.  
    29.     }
    30.  
    31.     $data = [];
    32.  
    33.     while ($row = mysqli_fetch_assoc($result)) {
    34.  
    35.         array_push($data, $row);
    36.  
    37.     }
    38.  
    39.  
    40.     $output['status']['code'] = "200";
    41.     $output['status']['name'] = "ok";
    42.     $output['status']['description'] = "success";
    43.     $output['data'] = $data;
    44.  
    45.     mysqli_close($conn);
    46.  
    47.     echo json_encode($output);
    48.  
    49.  
    50. ?>
    Please help!
     
    Last edited: Nov 26, 2020
    Supermook, Nov 25, 2020
    #1

  2. Aurimas-Cernius

    Aurimas-Cernius

    Unity Technologies

    Joined:
    Jul 31, 2013
    Posts:
    3,732
    Have you tried setting useHttpContinue to false? Some older servers don't like it.
     
    Aurimas-Cernius, Nov 25, 2020
    #2

  3. Supermook

    Supermook

    Joined:
    Nov 25, 2019
    Posts:
    6
    Omg, this is super embarrasing. So I am the biggest idiot on Unity Forums, and basically concatted my PHP incorrectly...

    Instead of using + (like every other language may I add!) you use full stops . to concat strings with vars.

    I'm going to go away and be embarrased now. :)
     
    Supermook, Nov 26, 2020
    #3

  4. Bunny83

    Bunny83

    Joined:
    Oct 18, 2010
    Posts:
    3,993
    Yea PHP has a lot of hidden gotchas that's why I don't like it that much ^^. It's an extreme "fuzzy" language. You have 10 different ways to do the same thing but 4 out of those 10 might fail in certain circumstances.

    Though I just want to add that there are other languages like lua which uses the ".." operator to concat strings. So it's not that strange. I have tons of other things I don't like ^^. Like the difference between 
    ""
    and 
    ''
    :)

    As a side note: Hopefully you don't want to expose that API to the public... If you do, please lookup SQL injection and then rewrite your queries from ground up ^^. If you don't like to read articles, may have a look at this computerphile video as well as the follow up video which gets a bit more concrete.
     
    Bunny83, Nov 26, 2020
    #4

  5. Supermook

    Supermook

    Joined:
    Nov 25, 2019
    Posts:
    6
    Thanks Bunny, when it is live, I will have a config file, I'm just being lazy since I'm developing locally at the moment xD
     
    Supermook, Nov 26, 2020
    #5

  6. Bunny83

    Bunny83

    Joined:
    Oct 18, 2010
    Posts:
    3,993
    Config file? I wasn't worried about your local database user name and password. That's kinda useless if the database login is setup correctly so it only works for the local user. I'm talking about how you handle the post data in your query.

    If I send a "difficulty" value like 
    "1; drop database; --"
    to your API you will loose your complete database. If you watch the second video you see other attacks which are possible against your API. Again, I highly recommend you refresh your knowledge about SQL injection attacks and web security.
     
    Bunny83, Nov 26, 2020
    #6

  7. Supermook

    Supermook

    Joined:
    Nov 25, 2019
    Posts:
    6
    I
    I see what you mean now! This is really useful, I didn't realise it was that powerful! Thanks for these vids, I'll start bearing this in mind more often. Thankfully none of the projects I've been creating have any sensitive data. :)
     
    Supermook, Nov 26, 2020
    #7