从服务器端验证谷歌播放购买 [英] Verification google play purchase from server side
问题描述
我现在真的搞砸了理解需求的概念和原因,甚至不知道如何通过编码来实现。
I now really messed up to understanding the concept and reason for need, and even don't know how to implement by coding.
所以,我用团结制作手机游戏,c#。使用php,mysql进行高分,并在应用程序购买项目信息中存储用户。
So, I made mobile game using unity, c#. Used php, mysql for highscore and store user's in app purchased item info.
我一周前在谷歌播放时发布了我的游戏,我的谷歌钱包显示没有人直到现在购买该游戏中的任何物品。
I released my game a week ago at google play, my google wallet shows nobody until now purchased any items in that game.
但是,当我检查我的游戏服务器(mysql数据库)时,一些用户有大量应该购买的物品。
But, when I checked my game server (mysql database), some users has enormous numbers of item that should be purchased.
这意味着一些用户使用黑客工具并绕过谷歌游戏检查程序并欺骗我的游戏并进行虚假购买。
This means some users used hacking tool and bypass google play check process and deceive my game and made fake purchase.
所以我没有实现developerPayload,也没有验证google play购买收据。
So I didn't implement developerPayload, nor validation of google play purchase receipt.
所以现在我删除了我的数据库中的整个恶意用户的项目(这将设置0到该用户的客户端项目),并希望实现google play购买的服务器端验证收据。
So now I deleted whole malicious user's item at my DB,(this will set 0 to that user's client's item), and want to implement server side verification of google play purchase receipt.
我通过谷歌搜索搜索了许多帖子,但从第一个到最后都没有完美的解决方案。
I searched many posts by googling, but there is no perfect solution from the first to end.
无论如何,到目前为止,我已经实现了这样的目标。
Anyway, I implemented so far like this.
首先,在用户结束谷歌结账流程后(是否是真的还是假的),我的Unity客户端的OnPurchaseSucceded函数被调用,在那里我实现了开始在我的服务器上传递我的PHP脚本。
First, after user ended google checkout process(whether this is real or fake), my unity client's OnPurchaseSucceded function called, there I implemented to start communicate my php script on my server.
private void OnPurchaseSucceded(Purchase purchase)
{
/*
// Optional verification of the payload. Can be moved to a custom server
if (!VerifyDeveloperPayload(purchase.DeveloperPayload)) {
return;
}*/
StartCoroutine(VerifyReceiptCo(purchase));
}
IEnumerator VerifyReceiptCo(Purchase purchase)
{
WWWForm hsFm = new WWWForm();
hsFm.AddField("data", purchase.OriginalJson);
hsFm.AddField("signature", purchase.Signature);
WWW hs = new WWW(verifyURL, hsFm);
yield return hs;
Debug.Log("verify result is " + hs.text);
// if result is true(validated), give item to user.
}
此处有问题,
<强> 1。 [我在代码上方做得对吗?对于数据字段,我使用了buy.OriginalJson,但这是对的吗?如果没有,我应该使用什么?]
并在从php(上述代码的verifyURL)收到这些信息后,
and after receive these info from php (verifyURL of above code),
$base64EncodedPublicKey = "MY game's public key from google play console";
$signedData = $_POST['data'];
$signature = $_POST['signature'];
$key = openssl_pkey_get_public($base64EncodedPublicKey);
$verified = (openssl_verify($signedData, base64_decode($signature), $key, OPENSSL_ALGO_SHA1) > 0);
$result = openssl_verify($signedData, base64_decode($signature), $key, OPENSSL_ALGO_SHA1);
if ($verified) {
echo 'verified : result is'.$result;
} else {
echo 'fail : result is'.$result;
}
其他问题,
的 2。 [我是否需要使用付费SSL服务来使用上面的php代码之类的openssl_方法?]
我正在使用hostgator.com的网络托管,我的计划已经有了共享SSL服务,那么这就够了吗?或者我应该购买另一个私人SSL服务计划?]
3。如果不使用openssl(不使用SSL服务)方法,是否无法验证这一点?
4。总体而言,我是否正确处理黑客用户?
非常感谢。
推荐答案
这是我验证谷歌订单的代码。它适用于我公司的所有产品。非常简单的代码。
here's my code for verify google order. it works fine with all products of my company. Very simple code.
function verifyGoogleOrderLocal($packageName, $jsonData, $sig)
{
$public_keys = array(
'package1' => 'key1',
'package2' => 'key2',
);
if(!$public_keys[$packageName]) {
return array("success"=>0,"reason"=>'no public key defined');
}
$key = get_openssl_key($public_keys[$packageName]);
if(!$key) {
return array("success"=>0,"reason"=>'invalid public key');
}
$result = openssl_verify($jsonData, base64_decode($sig), $key, OPENSSL_ALGO_SHA1);
$resp = array('success'=>$result);
if($result==0) $resp['reason'] = 'invalid signature';
return $resp;
}
function get_openssl_key($publicKey)
{
$key = "-----BEGIN PUBLIC KEY-----\n" . chunk_split($publicKey, 64, "\n") . '-----END PUBLIC KEY-----';
$key = openssl_get_publickey($key);
return $key;
}
这篇关于从服务器端验证谷歌播放购买的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
