doushi3819244 2016-12-17 23:17
浏览 48

Unity3D到PHP的安全问题

I have a question I am stumped on. Okay, this is for a game of mine in Unity3D.

To make this make sense in terms of what people normally play. Let's say the player has 500 Gold in their account (saved on database). And the player earns 243 gold by doing some kind of task, how could the game (Unity3D) tell the PHP file they earned specifically 243 Gold?

Because here's where the issue lies, In Unity3D there's a class called WWW. It allows you to send some sort of string to a PHP file.

int currentGold;
string goldToSend = currentGold.ToString(); // Only using that for example.

WWWForm form = new WWWForm();
form.AddField("NameOfPostRequestInPHPFile",goldToSend);
WWW www = new WWW("website.com/PHPFile.php", form);

Now as you can see, I am in a pretty big dilemma, being you can't trust the client with anything, how would one actually send a random gold amount from the client side to the PHP to then put into a database.

The issue I am facing is, how can one really make a PHP understand what's going on in the game without the client actually telling it a thing, and being you can't trust the client, how can the client actually tell the PHP to load, use this data and then put it into the database.

I thought about using hashes an stuff, but then that still brings up the problem client side.

Lets say

if(sentGold == 243){
string hash = hash01;
// Change it to hash1000 (to get 1000 gold).
}
if(sentGold == 1000){
string hash = hash1000;
}

As you can see, using if statements clearly wouldn't work either, because then the hashes could just be changed locally to fit their devious attempts. Plus it looks like garbage to had 20K if statements.

I know it's impossible to entirely stop hacking. But at the same time, if I do something i want to do it right, not half-a**ed if you get what I mean?

If you've made it to this point reading my help message. I really appreciate the time you've put into reading it, it means a lot to me.

Now, if there's some other technology or hints you might know that could help me with this, or heck even a tutorial on it (i've been looking for days), but I'm still deadlocked because nobody is addressing the fact that yeah they might use secret keys and so forth, but they are failing to address that the string they send can be easily tampered with. All they gotta do is change for 243 to 9999999999 and then they are rich.

  • 写回答

1条回答 默认 最新

  • dongyu8664 2016-12-18 00:24
    关注

    You can't trust the client? Correct.
    But...
    You are the captain of this ship. So your server need to be smart enough to detect the cheating.
    If a certain task in game gives 200 gold, you can send the reference of that task along with the value (200,"SomeTask"). Now if client tries to send (10000,"SomeTask"), server would consider it cheating. You might say that client can earn variable gold based on how good they perform the task, in that case you can have a max-limit value for every task and check before adding the gold to database.

    And never send total gold from client to be saved in database. Client should only be able to send newly earned gold and will gets back total value.

    For Example:

    Database: 2000 gold  -> Game: 2000 gold

Game: POST (130,"pickupjewel");

Databse: if (130 <= MaxValue("pickupjewel")) [TRUE] -> SUCCESS
Database: 2130 gold -> Game: 2130 gold


Game: POST (999999,"pickupjewel");

Databse: if (999999<= MaxValue("pickupjewel")) [FALSE] -> FAILURE
Database: 2130 gold -> Game: 2130 gold

    I hope this helps. Let me know if you have any specific issue.

    评论

报告相同问题?

悬赏问题

  • ¥60 版本过低apk如何修改可以兼容新的安卓系统
  • ¥25 由IPR导致的DRIVER_POWER_STATE_FAILURE蓝屏
  • ¥50 有数据,怎么建立模型求影响全要素生产率的因素
  • ¥50 有数据,怎么用matlab求全要素生产率
  • ¥15 TI的insta-spin例程
  • ¥15 完成下列问题完成下列问题
  • ¥15 C#算法问题, 不知道怎么处理这个数据的转换
  • ¥15 YoloV5 第三方库的版本对照问题
  • ¥15 请完成下列相关问题!
  • ¥15 drone 推送镜像时候 purge: true 推送完毕后没有删除对应的镜像,手动拷贝到服务器执行结果正确在样才能让指令自动执行成功删除对应镜像,如何解决?