Download

Questions on MySQL Security Concerns

Hello everyone,

so I have been reading up on getting UE4 to service some database implementations. The main thing I found interesting was that there are many posts about using SQL code in binaries as a security risk.

So I have a few questions I have not found specific answers to but first let me provide some context and environment information. I am working on a project where player stats are to be saved to an Amazon RDS server running MySQL. This data will be used for tracking purposes in addition to other stuff such as trend analytics and the like. For the moment we would not have many players as we are still in the testing but we expect to eventually have many players playing at once.

This will be a sort of strange project setup. There will be a connection from the game, which will be played locally, to our database which will update after set periods of time. We don’t anticipate moving this to an mmo-like structure with certain aspects being hosted on a server somewhere; all local to the player’s computer except for this MySQL piece.

So, now the questions.

I had read that if you write local connection code that it can be pulled from the binaries? Is this true or would there be certain other programs involved? Is there a way this could be mitigated, say having a login screen within the game that uses a POST or REST call to “log in” to the game this way only those with actual accounts with us would be able to access the parts where it may be possible to sniff the connections to the database? We will have tight control over who is playing the game and we don’t expect our players to have the technological sophistication or ability to do something like that.

If somehow Unreal writes this information to a plain file somewhere, where the user can see it we would need to know that. We plan to do everything within some custom C++ classes with no connection information stored outside of the game or in any blueprints.

What are the potential secondary impacts to putting SQL command calls into code? For example, does UE4 expose the calls to injection even when using parameterized queries? What about if the statements were scrubbed before hand in addition to being parameterized?

Is it possible to modify variables from the console in-game?

Are there any other things we should be aware of? We don’t really care if it is not “standard practice” if there are ways we can mitigate some of the potential risk both through various in-code techniques and the way in which users will be able to access the game.

We want to avoid using php intermediary files at all costs for as much of our game as possible, we tried this approach in a much earlier version of our game using a different platform and found not only is it too slow but also would be too costly in time and money to implement for our game given the scale of what we are doing.

Given some of what I have read, we may need to consider separating the sensitive information that our database will hold and the rest which will normally be interacted with from the game; this would make more sense if we had a REST/POST call for logging in to that section of the database so if there was an intrusion all they would find is data that would be relatively worthless to them and modification of the data would not result in much of an impact. The two databases would not interact with each other within the game and we won’t have any kind of real-money purchases so the data in the non-sensitive database is not too important generally.

I have searched for a while for some specific on the questions above but I was not able to find enough information to answer these questions to my liking.

Thanks.

Not even any need to pull them it can be used as a springboard to mess with your db. Dont ever do this.

PDO dosent help you if you go on with your plan of having the connection exposed ingame, and anything that is on the client side can be modified beyond your control the server should always sanitize the input.

You have tight control over who is playing it, is it a North Korea exclusive? You should never underestimate your players and think of them as angels that barely can find the power button :wink:

If i found out that i can do my own sql querys in a game i would simply set it up to delete the tables every 5 minutes just to make some guy cry on the other side of the world.

php has zero to do with Mysql you can use any language you see fit. With correct hardware and optimzied tables there can be a huge number of querys per second.

But your first statement says that it’s more analytic data that you want to send on regular basis then i cant see why speed would be an issue just send the data in background and let the server take it’s time to process it.

So UE4 is just unsafe period with MySQL in general? Is this an engine flaw or just in the way that Epic designed what way it communicates with a database (kind of the same thing I guess)? To the second question (devil’s advocate), what if we obfuscated as much as possible what our function calls were doing in the backend by making parameter data less obvious? If we build our queries in the code exclusively with no operations exposed and strict data checking could any of the risk be minimized? Or is it just pants down, wide open no matter what?

We would have tight control as, under “our” current train of thought we would have the login to our account servers be using a REST command or POST straight into PHP. If they don’t have a subscription with us they can’t get in. At that point we could try to lock the sql stuff behind as much flack as possible but what you seem to be saying is that it won’t be enough even with data scrubbing, parameterization, and no access to the actual query commands being called from the blueprints to the code.

I was hoping that variables could be completely locked down from changes in the console but that doesn’t appear the be the case?

“We” (other’s on the team) didn’t like the idea of using PHP prior due to our experience with a game “engine” called GameSalad where you had to set up individual PHP files containing a horrid JSON structure containing special code IDs from each table in the project for return data transfer. It was going to quadruple our development time and costs so PHP or back-end server anything scares them off faster than a guy in a van handing out free candy. I suspect none of this craziness is needed with UE4, I just need to find the specifics to convince the others on the project of this.

If we have to built a REST API on our end to do it I think I can spin it as a positive. Need to do some digging on the marketplace to see if there is something like that for the client side (I think I recall seeing something like it a while back).

Thanks for the info.

Anything you expose to the client can be manipulated and hacked. Your REST API should only contain functions that can be easily validated on the server prior to formulating a query. Don’t add any SQL in the API - only unit/game functions that the server converts. The back-end (in your case it’s SQL) should only be known by you and only accessible by the server. If you are using input from the user to pass through to your API, make sure you are using either parameterized queries, or stored procs. There is no way to “sanitize” user input to the point it is safe for a query.

Basically, it’s all about separating the layers. Even forgetting about security for a second, say you decide to switch from a SQL back-end to something like Mongo. Your interface (REST API) won’t have to change and all you’ll need to implement is the data layer - everything after the API. Keeping the business/game logic intact.

Just my .02 but something I do in the real world on every project I start.