Hosting my own database

Let’s say I have a game, in the game the user have bought an item. I want this transaction to be stored server-side and the user’s inventory to be updated on server-side too…

I know there is some plugins that offers this like playfab, but I want to have my own mysql database.

As I know the first step is to host the database somewhere, after hosting the database how to update/write/delete ?

If it’s trough PHP, then how to make sure that nobody can access/edits that database except for my app ?

Also, is anyone’s corona docs broken ?

https://i.snag.gy/R6f8FK.jpg

Maybe you can use this video as a start ?? It’s old don’t know if it still works 

https://www.youtube.com/watch?v=iIeJEBQYA10&t=638s

I believe that tutorial would still be valid from the networking/database side.

Rob

Yes, it’ll work, but what about security ?

That way any script any one can access my database and read what’s inside of it, also if I am going to edit the database then the person would also be able to update it…

I thought to provide the database password in the POST/GET method so it would be inaccessible by others, but also I remembered that apks can be decompiled easily and everyone would know the password, so what to do, or what is the most secure way ? 

Well if you use https: and POST requests, your data will be automatically encrypted for you.  Your scripts would probably need to support some form of session management  or passing credentials with each call to validate it. This will keep people from running your scripts from a web-browser. Your scripts should only allow very specific actions and not allow general access to your database.

For the best security you would implement your own username/password scheme that the user has to enter (like a banking app) and get a token/session id back and then you pass that session id back to the server.

Rob

What does that mean exactly ? like I would request the password from the server then use that password in the POST request ? or that the server will temporarily create a random token and store this token somewhere, and when the server receives a POST request with the token it will check if the token is stored in the server and if it is then continue if not then error ?

wouldn’t that mean that someone could also generate the token and continue the process ? 

It sounds like you want to authenticate the user, generate a token for the user and send token back to the App.  Use the token to authorize the data exchange with the server-side service (PHP).  Depending on requirements the token could be retained for a period of time and then expires requiring re-authentication and token generation.

Token generation, you could look at Scott’s comment here: http://stackoverflow.com/questions/1846202/php-how-to-generate-a-random-unique-alphanumeric-string/13733588#13733588   (includes notes on PHP7 updates as well)

It would be really nice with a tutorial fra a-z regarding this. Maybe it could be implemented in the demo business app ??

Full end-to-end security is a deep topic and not embarked upon lightly. I recommend taking the time to do some reading on the subject and looking for Lua-based libraries which might help you, rather than rolling your own if you’ve not had this exposure before.

Maybe you can use this video as a start ?? It’s old don’t know if it still works 

https://www.youtube.com/watch?v=iIeJEBQYA10&t=638s

I believe that tutorial would still be valid from the networking/database side.

Rob

Yes, it’ll work, but what about security ?

That way any script any one can access my database and read what’s inside of it, also if I am going to edit the database then the person would also be able to update it…

I thought to provide the database password in the POST/GET method so it would be inaccessible by others, but also I remembered that apks can be decompiled easily and everyone would know the password, so what to do, or what is the most secure way ? 

Well if you use https: and POST requests, your data will be automatically encrypted for you.  Your scripts would probably need to support some form of session management  or passing credentials with each call to validate it. This will keep people from running your scripts from a web-browser. Your scripts should only allow very specific actions and not allow general access to your database.

For the best security you would implement your own username/password scheme that the user has to enter (like a banking app) and get a token/session id back and then you pass that session id back to the server.

Rob

What does that mean exactly ? like I would request the password from the server then use that password in the POST request ? or that the server will temporarily create a random token and store this token somewhere, and when the server receives a POST request with the token it will check if the token is stored in the server and if it is then continue if not then error ?

wouldn’t that mean that someone could also generate the token and continue the process ? 

It sounds like you want to authenticate the user, generate a token for the user and send token back to the App.  Use the token to authorize the data exchange with the server-side service (PHP).  Depending on requirements the token could be retained for a period of time and then expires requiring re-authentication and token generation.

Token generation, you could look at Scott’s comment here: http://stackoverflow.com/questions/1846202/php-how-to-generate-a-random-unique-alphanumeric-string/13733588#13733588   (includes notes on PHP7 updates as well)

It would be really nice with a tutorial fra a-z regarding this. Maybe it could be implemented in the demo business app ??

Full end-to-end security is a deep topic and not embarked upon lightly. I recommend taking the time to do some reading on the subject and looking for Lua-based libraries which might help you, rather than rolling your own if you’ve not had this exposure before.