doushi3819244 2016-12-17 23:17
浏览 48

Unity3D到PHP的安全问题

I have a question I am stumped on. Okay, this is for a game of mine in Unity3D.

To make this make sense in terms of what people normally play. Let's say the player has 500 Gold in their account (saved on database). And the player earns 243 gold by doing some kind of task, how could the game (Unity3D) tell the PHP file they earned specifically 243 Gold?

Because here's where the issue lies, In Unity3D there's a class called WWW. It allows you to send some sort of string to a PHP file.

int currentGold;
string goldToSend = currentGold.ToString(); // Only using that for example.

WWWForm form = new WWWForm();
form.AddField("NameOfPostRequestInPHPFile",goldToSend);
WWW www = new WWW("website.com/PHPFile.php", form);

Now as you can see, I am in a pretty big dilemma, being you can't trust the client with anything, how would one actually send a random gold amount from the client side to the PHP to then put into a database.

The issue I am facing is, how can one really make a PHP understand what's going on in the game without the client actually telling it a thing, and being you can't trust the client, how can the client actually tell the PHP to load, use this data and then put it into the database.

I thought about using hashes an stuff, but then that still brings up the problem client side.

Lets say

if(sentGold == 243){
string hash = hash01;
// Change it to hash1000 (to get 1000 gold).
}
if(sentGold == 1000){
string hash = hash1000;
}

As you can see, using if statements clearly wouldn't work either, because then the hashes could just be changed locally to fit their devious attempts. Plus it looks like garbage to had 20K if statements.

I know it's impossible to entirely stop hacking. But at the same time, if I do something i want to do it right, not half-a**ed if you get what I mean?

If you've made it to this point reading my help message. I really appreciate the time you've put into reading it, it means a lot to me.

Now, if there's some other technology or hints you might know that could help me with this, or heck even a tutorial on it (i've been looking for days), but I'm still deadlocked because nobody is addressing the fact that yeah they might use secret keys and so forth, but they are failing to address that the string they send can be easily tampered with. All they gotta do is change for 243 to 9999999999 and then they are rich.

  • 写回答

1条回答 默认 最新

  • dongyu8664 2016-12-18 00:24
    关注

    You can't trust the client? Correct.
    But...
    You are the captain of this ship. So your server need to be smart enough to detect the cheating.
    If a certain task in game gives 200 gold, you can send the reference of that task along with the value (200,"SomeTask"). Now if client tries to send (10000,"SomeTask"), server would consider it cheating. You might say that client can earn variable gold based on how good they perform the task, in that case you can have a max-limit value for every task and check before adding the gold to database.

    And never send total gold from client to be saved in database. Client should only be able to send newly earned gold and will gets back total value.

    For Example:

    Database: 2000 gold  -> Game: 2000 gold

Game: POST (130,"pickupjewel");

Databse: if (130 <= MaxValue("pickupjewel")) [TRUE] -> SUCCESS
Database: 2130 gold -> Game: 2130 gold


Game: POST (999999,"pickupjewel");

Databse: if (999999<= MaxValue("pickupjewel")) [FALSE] -> FAILURE
Database: 2130 gold -> Game: 2130 gold

    I hope this helps. Let me know if you have any specific issue.

    评论

报告相同问题?

悬赏问题

  • ¥15 想通过pywinauto自动电机应用程序按钮,但是找不到应用程序按钮信息
  • ¥15 MATLAB中streamslice问题
  • ¥15 如何在炒股软件中,爬到我想看的日k线
  • ¥15 51单片机中C语言怎么做到下面类似的功能的函数(相关搜索:c语言)
  • ¥15 seatunnel 怎么配置Elasticsearch
  • ¥15 PSCAD安装问题 ERROR: Visual Studio 2013, 2015, 2017 or 2019 is not found in the system.
  • ¥15 (标签-MATLAB|关键词-多址)
  • ¥15 关于#MATLAB#的问题,如何解决?(相关搜索:信噪比,系统容量)
  • ¥500 52810做蓝牙接受端
  • ¥15 基于PLC的三轴机械手程序