Windows php/mysql checking name/password and retrieving data

D

Dengar

Guest
im using gm studio 1 and already have a MySQL database setup that holds player name, password, and other such data.

theres two separate functions that I need to perform:

the first is to check a name/password combination and simply return true/false.

and the second thing is I need to send a group of names and then return various data about those players. for example. game maker sends a request with the names "bob, bill, tom" the php script would check the database and return data for those players suchas as which sprite to use and inventory. the script would need to check multiple values within the database.

ive searched the forums and google but Im still not sure where to start.

any help would be appreciated, thanks.
 
Do you have problems with the server side, the client side or both?
Have you tried anything yet?
Do you have any experience with php, mysql and http in GM?

EDIT:
I kinda wanna know so I know how deep I need to go.
 
Here is somewhat what you need on the server side.
I haven't tried it so there might be some things that won't work.
You also obliviously need to edit the code so that if work with your database.

Code:
<?php
$db_host = "my_host";
$db_user = "my_user";
$db_pw = "my_password";
$db_name = "my_database";

$db = new mysqli($db_host, $db_user, $db_pw, $db_name);
if ($db->connect_error) {die("error"); }

if ($_POST['action'] == "getUser") {
    $user_name = $db->real_escape_string($_POST['user']);
    $password = $db->real_escape_string($_POST['pw']);

    $r = $db->query("SELECT * FROM users WHERE user = '".$user_name."' AND password = '".$password."'");
   
    if ($r->num_rows == 1) {
        echo "1";
    }
    else {
        echo "0";
    }
}
elseif ($_POST['action'] == "getUsers") {
    $users = $db->real_escape_string($_POST['users']);
    $users = explode(",", $users);
    foreach ($users as &$v) {
        $v = '"'.$v.'"';
    }
    $users = implode(",", $users);
   
    $r = $db->query("SELECT * FROM users WHERE user in (".$users.")");
   
    $send = "";
    while ($e = $r->fetch_object()) {
        $send .= $e->sprite.",";
        $send .= $e->inventory.",";
        $send .= $e->someOtherStuff."|";
    }
    echo substr($send, 0, -1);
}
else {
    echo "error";
}
 

zbox

Member
GMC Elder
Sorry to not contribute much here but I just want to say... Never ever store the passwords in cleartext!!! (Which, by the looks of the above code, this operates on that assumption). Have a quick google why :)
 
Sorry to not contribute much here but I just want to say... Never ever store the passwords in cleartext!!! (Which, by the looks of the above code, this operates on that assumption). Have a quick google why :)
Funny that you noticed that, the code originaly contained:
Code:
$password = md5($_POST['pw']);
instead of:
Code:
$password = $db->real_escape_string($_POST['pw']);
But I took it out to simplify it but you are right, it's a really bad idea to do so.
 

NightFrost

Member
Well, while on the subject of databases, it also should be noted that md5 these days is really not a secure hashing algorithm for passwords (can be broken too quickly) and salting passwords is a good idea too.
 
Well, while on the subject of databases, it also should be noted that md5 these days is really not a secure hashing algorithm for passwords (can be broken too quickly) and salting passwords is a good idea too.
Code:
$password = password_hash($_POST['pw'], PASSWORD_ARGON2I);
Is this good enough?
I know that md5() isen't good enough but I've never bothered to find out whats the new best practice (shame on me), at least I haven't used it in production. :p
It's bad to use it in examples tho so I'm really sorry for that.
 

Pfap

Member
Why are you using a password? Is your service or game going to be playable across different devices? If you only allow a single logon per device as with mobile apps a password, really just becomes something extra you need to manage. If your going to have an app that users can play on multiple devices though, then that's a different story.
 

zbox

Member
GMC Elder
Well, while on the subject of databases, it also should be noted that md5 these days is really not a secure hashing algorithm for passwords (can be broken too quickly) and salting passwords is a good idea too.
Whilst this is true, it's a little misleading - it has always been unsecure for hashing passwords, since inception. MD5 is not a password digest, it's a comparison digest (So are hashes like the SHA family). It is designed to be very fast - not something that you want when you're hashing a password. The 'MD5 is unsecure' you are referencing is the fact that it is now unsecure to compare files with (because of clashes), not unsecure for passwords.

You need to use a password hashing algorithm, which is slow!
 
F

Fishman1175

Guest
I wrote a matchmaking server a while ago, feel free to look through the server side code and use any of it (for your game only).
Scripts to maybe look at would be db_connector.php, game_login.php

http://host-a.net/u/sdargiewicz/Matchmaking_Server.zip

You can ignore the part with registrant/code parameters if you want. That was a key I put in my game's code to try and make sure only the game would be able to run these scripts.

You use game maker's http_post_string to activate these scripts and pass them data.
 
D

Dengar

Guest
wow, thanks for all the inputs.
how would It work trying to request multiple data from a database. for example in the database if I have "name, password, sprite, powerup1, powerup2" and ingame I have an object for each player,
and I sent a list of names to the server with something resembling the below code
Code:
var lis="";
var num=0;
repeat(#_of_players)
{
lis=lis+"name"+string(num)+"="+player_name;
num+=1;
 }
post=http_post_string(lis);
now how would the php cycle thru this list and pull for example the values for the player's "sprite, powerup1, and powerup2" for each player and send it all back to gamemaker.
this is where im realy lost.
 
F

Fishman1175

Guest
Use the SQL language to interact with your database.



You need to construct a SELECT statement from the values the user passes in, and send it to the database. The database will return the data that matches that criteria to your PHP script. Then your PHP script needs to ECHO back the data in a way your game will know how to understand. You come up with the format for that part, or you can use JSON. I think there examples of all of this happening in the matchmaking server.
 
D

Dengar

Guest
thank you Fishman1175 for the picture and i'll look through your code in a moment, thank you for sharing it.
I understand the theory, its what functions to use and how to use them is the part I need help with. the only thing ive ever written in php was a 7k+ line game server that used Waaaaay too much string parsing, a long if else statement, and txt files because I couldn't get databases to work. I wrote it like a noob learning gamemaker and not how php should be written.

well now I do have a database setup but am having trouble figuring out how to properly write the php part and how to interact with the database. see my previous post :)

Why are you using a password?
im assuming this is a serious question.
my game concept has two parts, a website and a client.
the website is where you create a player account and in the future will be able to purchase powerups and addons for there character. these are stored in the database.
the game client simply checks the name/password when you login to decide whos player data to retrieve from the database.
if only a name was stored then everybody would have access to any bodies account.
 

Pfap

Member
thank you Fishman1175 for the picture and i'll look through your code in a moment, thank you for sharing it.
I understand the theory, its what functions to use and how to use them is the part I need help with. the only thing ive ever written in php was a 7k+ line game server that used Waaaaay too much string parsing, a long if else statement, and txt files because I couldn't get databases to work. I wrote it like a noob learning gamemaker and not how php should be written.

well now I do have a database setup but am having trouble figuring out how to properly write the php part and how to interact with the database. see my previous post :)


im assuming this is a serious question.
my game concept has two parts, a website and a client.
the website is where you create a player account and in the future will be able to purchase powerups and addons for there character. these are stored in the database.
the game client simply checks the name/password when you login to decide whos player data to retrieve from the database.
if only a name was stored then everybody would have access to any bodies account.

Yes, it was a serious question. I know it's idealistic thinking, but I personally dislike passwords and I think most people do. I think the future will hold different ideas about authentication other than passwords. Anyways, I get around it by using the services provided by Apple, and Google, and have also thought about using a login with Facebook type of authentication as well. I feel people are less likely to try new stuff if they have to create yet another account.


In regards to your question about PHP cycling through a list I'm using this script:

Code:
//this is php code on the server

//connect to redis db
$redis = new Redis();
$redis->connect('127.0.0.1', 6379);

$data = json_decode(file_get_contents('php://input'), true);


if ($data != null) {

$key = $data['key'];//user_score
$high_score = $data['score'];
$name = $data ['element'];
$losses = $data['losses'];//user_total

}


I really like using Redis it's more flexible in how you can manipulate data; less structured.

The Gml side of things is below.

Code:
//send data
var state, strredis;

state = ds_map_create();
   {

   ds_map_add(state, "key", global.user);         
   ds_map_add(state,"score", my_data);
  ds_map_add(state,"element", my_data);
  ds_map_add(state,"losses", my_data);

   }

strredis = json_encode(state);
http_post_string("your server url", + strredis );

ds_map_destroy(state);

From my understanding the Gamemaker ds_map is basically a PHP array. Probably not strictly true, but the above has worked for me.
 
Last edited:

zbox

Member
GMC Elder
Yes, it was a serious question. I know it's idealistic thinking, but I personally dislike passwords and I think most people do. I think the future will hold different ideas about authentication other than passwords. Anyways, I get around it by using the services provided by Apple, and Google, and have also thought about using a login with Facebook type of authentication as well. I feel people are less likely to try new stuff if they have to create yet another account.
I agree but this also creates a single point of failure and a lot of people who don't understand facebook login believe that it will give the site total access to their account. So important to still have the option for both those reasons at least!`
 
D

Dengar

Guest
Yes, it was a serious question.
gotcha, didn't mean to seem rude. im oldschool so I'm not familiar with this login with facebook ect stuff. I always shy away from stuff like that when I see it.
 

Pfap

Member
I agree but this also creates a single point of failure and a lot of people who don't understand facebook login believe that it will give the site total access to their account. So important to still have the option for both those reasons at least!`
Yes, I guess I spend more energy trying to get myself out of work. Right now I'm struggling to decide how to handle saving the players progress on mobile in the case of them getting a new device. I'm leaning towards making some type of data upload and download which would be tied to an id that's generated server side; or, using Gamemakers gamecenter functions and trying to in a way "shoehorn" my way onto Apple or Googles servers. I'm not sure what happens in the case of multiple users on one Apple account or Google account though...

Back to the point though, how many users access applications on more than one device? And if they do you could just send them a server generated code from the device they registered with. Although, this is really impractical for any shared devices or in the case of using a library computer etc...
 

Pfap

Member
gotcha, didn't mean to seem rude. im oldschool so I'm not familiar with this login with facebook ect stuff. I always shy away from stuff like that when I see it.
That's probably good... theres an API for everything and then your stuck relying on whoever maintains that lol. It's good to be independent :)
 
Top