Thanks! I will look into this

Can someone please enlighten me why a text file is supposed to be unsafer than a database? Its slower, okay, but less secure? Why?

you can put a password on a database. with a text file its all there and accessable if somone knows the direct path to said text file(s).

also with a database you can control which user has access to which part of the database etc.

Through .htaccess you can lock a directory from veeing accessable through the internet.
But I guess that it's easier to hack the textfile than hacking the db server.

I would suggest to use php between gamestudio and db serber. Through http post you can talk with the php scripts. This way you can define an explicit interface how the db server can be accessed.

Through .htaccess you can lock a directory from veeing accessable through the internet.
But I guess that it's easier to hack the textfile than hacking the db server.

I would suggest to use php between gamestudio and db serber. Through http post you can talk with the php scripts. This way you can define an explicit interface how the db server can be accessed.

Yes, i´m doing it like this Gstudio<->PHP<->Encryption<-> Database

Better would be: Gamestudio<>Encryption<>Php<>DB

You´re right..

With http requests and php you need a good authentication logic and encryption. Players can easily check your http requests and responses and may reroute some requests to other places(local http server) and return a response from there to make it look like they have been authenticated as a player that is non-existent or a different one. Using same methods they can also fake stats. That is also possible with packets used between gamestuio client and gs server but that's a lot harder.

Sounds like you can't handle a server. With the right settings there is no security risk whatsoever, beside maybe bugs in the server software, but they are usually well tested (especially Apache and Nginx).
Btw, its also possible to fail to secure a database so that everyone has access to it. For example by not validating any input.


Why would I want to have user access? Normally everything is routed through a webservice which has access to the database.

Anyway, about encryption, usually you want to use HTTPS instead of HTTP, and before trusting the HTTPS connection (hey, man in the middle attacks work there too), you should validate the certificate, the CA of the certificate and if the certificate was revoked (something most HTTPS implementations never do). You don't need to encrypt what you put into the database, however, don't even dare to put passwords in plain text into it. Always save a salted hash of the user passwords and try to make the salt as random as possible. You also should consider SHA256 as hashing algorithm because MD5 and SHA1 are considered more or less broken by now.