I have been developing with PHP for years now, and I am currently developing a mini game with Flash by using Actionscript 3.0.
Since AS 3.0 is a client side language, I am going to use PHP to handle data transfer between MySQL and flash application.
My only question is,
What is the theory that user can't be sending inputs directly to PHP?
For example, imagine this.
Flash sends var nPoints = 850; nName = "Username"; to PHP by GET. (blahblah.php?point=850&username=Username)
PHP inserts 850 to database. (basic sql stuff)
Any user with a little knowledge could directly browse PHP file and input this.
blahblah.php?point=9999999999999999&username=MyHaxorUser
This came up in my mind.
I can send encrypted data to PHP, and nobody will know about the decryptor.
For example,
"Username" gets encrypted to "9AJ7ADHAWD8J18AHDWAD7AH18" and it gets decrypted to "Username" only in PHP. So they can't write their nicknames directly.
But still, they can change their nickname in Flash application, create an encrypted text, and write it to PHP. Since the encryption will be correct, PHP will decrypt it correctly and allow the value to pass.
How can I avoid this?
Someone in another forum suggested using SSL, but there is no other way of securing this?
Awaiting your reply,
Thanks.
Ps. Not speaking about SQL Injection. Please don't comment if you can't be sure about the subject.