I've come up with the following at the moment.
base64_encode all URLs (and all forms use POST)
Basicly, this involves having a main index controller scripts (easy for me, because i use a template engine that includes other pages) that has the following code (or something along these lines) in it:
Code: Select all
$_url = base64_decode($_SERVER['QUERY_STRING']);
switch ($_url){
case "home":
include("pages/home.php");
break;
case "bank":
include("pages/bank.php");
break;
default:
include("pages/badnav.php");
}
Only really usefull on RPG style games, but basicly you have an array of links for a location/page then call a 'register_links' function that stores the links in a database (basic caching would be a bonus).
Code: Select all
$links = array("bank","healers-hut","cafe");
register_links($links);
Code: Select all
$links = getLinks($userLocation);
$_url = base64_decode($_SERVER['QUERY_STRING']); // See Above
if(!in_array($_url[0], $links)){
include("pages/badnav.php");
}
I know this sounds stupid, but if you have a page like 'heal.php' (and are ignoring above...) but then have no protection on that page.
A user would basicly add the link to heal.php in his favorites, go out to battle. Then when low on health (still in battle..) click his bookmark, heal. Then switch back to the battle and continue.
All it really takes is a simple set of 'if's like:
Code: Select all
$buildingsInUsersLocation = array("tavern","bank");
if(!in_array("healers-hut",$buildingsInUsersLocation)){
include("pages/badnav.php");
exit;
}
// Heal code goes here.
I know we all like to be nice and give freebies, or to tempt new users we stick a decent amount of 'goodies' for signing up.
As most of you know, once you do this... You get multiple accounts so people get rich quick.
Although you might protect your signup with an image verifaction script MAKE IT DIFFICULT, because alot can be read using OCR techniques.
Your mail verifaction script will be easy to get around too with so called 'catch-all' email addresses, or free email accounts (GMail, Yahoo, ThemWhoMustNotBeNamedButAreOwnedByM$).
What you should really do is make the signup bonuses 'non-transferable' or something like that.
And if you give free 'gold' or something as a signup bonus. Make sure that during the first 48 hours or something that the gold cannot be 'donated' or anything.
Also make sure that you protect EVERY script that deals with transfering of goods between users, because if you leave one hole (maybe something like: signup, buy a pair of shiny boot, trade to another user, user sells them, user is rich) can be automated... and if you release to the public with holes like this, even though it seems small. Your chances of getting big are made alot smaller if a few people cheat there way to the top.
Trade limits
If you have a game with a 'trade' feature, i'd recommend limiting it so a user can only RECEIVE a certain amount of items or gold or anything within an hour. This should stop people getting rich REALLY fast (they still will, but not as fast) from 'scamming' other people or signing up for multiple accounts.
Thats basicly all i came up with, do any of you guys have any to add (or anything to say about mine)?