Unity3D to PHP Security Issues

Question

I have a question I am stumped on. Okay, this is for a game of mine in Unity3D.

To make this make sense in terms of what people normally play. Let's say the player has 500 Gold in their account (saved on database). And the player earns 243 gold by doing some kind of task, how could the game (Unity3D) tell the PHP file they earned specifically 243 Gold?

Because here's where the issue lies, In Unity3D there's a class called WWW. It allows you to send some sort of string to a PHP file.

int currentGold;
string goldToSend = currentGold.ToString(); // Only using that for example.

WWWForm form = new WWWForm();
form.AddField("NameOfPostRequestInPHPFile",goldToSend);
WWW www = new WWW("website.com/PHPFile.php", form);

Now as you can see, I am in a pretty big dilemma, being you can't trust the client with anything, how would one actually send a random gold amount from the client side to the PHP to then put into a database.

The issue I am facing is, how can one really make a PHP understand what's going on in the game without the client actually telling it a thing, and being you can't trust the client, how can the client actually tell the PHP to load, use this data and then put it into the database.

I thought about using hashes an stuff, but then that still brings up the problem client side.

Lets say

if(sentGold == 243){
string hash = hash01;
// Change it to hash1000 (to get 1000 gold).
}
if(sentGold == 1000){
string hash = hash1000;
}

As you can see, using if statements clearly wouldn't work either, because then the hashes could just be changed locally to fit their devious attempts. Plus it looks like garbage to had 20K if statements.

I know it's impossible to entirely stop hacking. But at the same time, if I do something i want to do it right, not half-a**ed if you get what I mean?

If you've made it to this point reading my help message. I really appreciate the time you've put into reading it, it means a lot to me.

Now, if there's some other technology or hints you might know that could help me with this, or heck even a tutorial on it (i've been looking for days), but I'm still deadlocked because nobody is addressing the fact that yeah they might use secret keys and so forth, but they are failing to address that the string they send can be easily tampered with. All they gotta do is change for 243 to 9999999999 and then they are rich.

Answer 1

You can't trust the client? Correct.
But...
You are the captain of this ship. So your server need to be smart enough to detect the cheating.
If a certain task in game gives 200 gold, you can send the reference of that task along with the value (200,"SomeTask"). Now if client tries to send (10000,"SomeTask"), server would consider it cheating. You might say that client can earn variable gold based on how good they perform the task, in that case you can have a max-limit value for every task and check before adding the gold to database.

And never send total gold from client to be saved in database. Client should only be able to send newly earned gold and will gets back total value.

For Example:

Database: 2000 gold  -> Game: 2000 gold

Game: POST (130,"pickupjewel");

Databse: if (130 <= MaxValue("pickupjewel")) [TRUE] -> SUCCESS
Database: 2130 gold -> Game: 2130 gold


Game: POST (999999,"pickupjewel");

Databse: if (999999<= MaxValue("pickupjewel")) [FALSE] -> FAILURE
Database: 2130 gold -> Game: 2130 gold

I hope this helps. Let me know if you have any specific issue.