I’ve been working with VaRest Plugin to login through PHP but it doesn’t seem like a good solution. Sometimes it’s unstable. I’ve been thinking of connecting to MySQL directly from the game. However, players will not be able to host games, so if I use my MySQL password and username in a config, shouldn’t that make it secure? I mean even if someone manages to host a game somehow, he will need the password in this .ini file, therefore my database should be secure. Is that a mistake?
Never connect to database directly from client software or include any info about them in client. Even if they don’t have any login info available it’s a security to have the server exposed to anyone. You should always have something in between like a web service. I haven’t used VaRest but you could try finding alternatives or make your own .php with custom input/output structure
Well the players won’t be connected. I don’t understand why it’s risky, they can’t do anything to my database, worst case scenario they manage to open a server with their own database
What do you mean players won’t be connecting when you said “I’ve been thinking of connecting to MySQL directly from the game.” ? where your database will be then?
No matter who does the connection if your server is open to anyone from network they can do bruteforce/ddos style kind of attacks at minimum.
Indeed, just create a web service. You have many options: NodeJS, WebAPI, WCF, PHP. And send the data via HTTP requests from the game server to the web server.
Couldn’t this also be done to your web service and bring it down?
It also seems inherently possible that someone could hack your web service and access your DB.
Yes web site or service can be bombed down too but it usually it’s still the correct place to take to the hit when one happens instead of actual database or infrastructure.
Properly made web services are not really hackable as they usually have strictly typed interface in and out and possibly tied to database account that has read only access or limited rights to different tables/procedures. You can really mess only by doing sloppy code like passing web service parameters directly to database query.
Hackers will totally love you doing this; they certainly won’t attack your server and certainly won’t shut it down at first day :s
As I said the players will not host, therefore will not connect to any database. Here is my idea: Players will connect to my game server, and my server will connect to a local database to access data, like player statistics. That means I can make my database to accept only connections from localhost.
Uhm yeah… that’s how most web services work exactly :rolleyes:
Your original post did not say anything about game server so it was confusing.