// THIS ONE IS JUST FOR THE NICKNAME PROTECTION AGAINST SQL INJECTION function anti_injection_login($sql, $formUse = true) { $sql = preg_replace("/(from|select|insert|delete|where|drop table|show tables|,|'|#|\\*|--|\\\\)/i", "", $sql); $sql = trim($sql); $sql = strip_tags($sql); if (!$formUse || !get_magic_quotes_gpc()) { $sql = addslashes($sql); } return $sql; } // ============================================================================= $unityHash = anti_injection_login($_POST["myform_hash"]); $phpHash = "736868697473736563726574"; // same code in here as in your Unity game $nick = anti_injection_login($_POST["myform_nick"]); //I use that function to protect against SQL injection $pass = anti_injection_login_senha($_POST["myform_pass"]); /* you can also use this: $nick = $_POST["myform_nick"]; $pass = $_POST["myform_pass"]; */ if (!$nick || !$pass) { echo "Login or password cant be empty."; } else { if ($unityHash != $phpHash) { echo "HASH code is diferent from your game, you infidel."; } else { // $SQL = "SELECT * FROM scores WHERE name = '" . $nick . "'"; $SQL = "INSERT INTO scores ( id , name , password ) VALUES (NULL, '" . $nick . "', '" . $pass . "' )";
$sql = strip_tags($sql); if (!$formUse || !get_magic_quotes_gpc()) { $sql = addslashes($sql); } return $sql; } // ============================================================================= $unityHash = anti_injection_login($_POST["myform_hash"]); $phpHash = "736868697473736563726574"; // same code in here as in your Unity game $nick = anti_injection_login($_POST["myform_nick"]); //I use that function to protect against SQL injection //$pass = anti_injection_login_senha($_POST["myform_pass"]); //THIS IS SO BAD NEVER EVER DO THIS $tracknum = anti_injection_login($_POST["myform_tracknum"]); // where $tracknum = "hiscore", "hiscore2", or "hiscore3" $hiscore_string = anti_injection_login($_POST["myform_hiscore"]); $hiscore = (double) $hiscore_string; // mysql TIME format: HH:MM:SS. floating points allowed? /* you can also use this: $nick = $_POST["myform_nick"]; $pass = $_POST["myform_pass"]; */ if ($unityHash != $phpHash) { echo "HASH code is diferent from your game, you infidel."; } else { // $SQL = "SELECT * FROM scores WHERE name = '" . $nick . "'"; //$SQL = "INSERT INTO scores ( id , name , password ) VALUES (NULL, '" . $nick . "', '" . $pass . "' )"; $SQL = "SELECT " . $nick . " FROM scores"; $result_id = @mysql_query($SQL) or die("DATABASE ERROR!" . mySQL_error()); $total = mysql_num_rows($result_id);