Page 1 of 1
protect php post
Posted: Tue Nov 09, 2010 6:05 am
by ahmetalsan
Hi everyone,
I used flash as3 + php at my flash game.
But some players abused my php script. They post their fake scores to my php file.
Here is my code.
Code: Select all
require "includes/conn.php";
$uid = $_POST["uid"];
$adsoyad = $_POST["name"];
$zaman1 = $_POST["time"];
if(isset($_POST["uid"]))
mysql_query("INSERT INTO `scores` (`id`, `uid`, `name`, `time`) VALUES ('', '".$uid."', '".$name."', '".$time.")") or die('Could not connect: ' . mysql_error());
}
Re: protect php post
Posted: Tue Nov 09, 2010 6:17 am
by VladSun
Your site is vulnerable to SQL injection attacks. Use mysql_real_escape_string() and validate your input (i.e. $_POST) data.
Re: protect php post
Posted: Tue Nov 09, 2010 4:19 pm
by McInfo
You need to design a way for your PHP script to know that the data it receives comes from your Flash application and that the data has not been changed en route. This might involve some kind of encryption, obfuscation, or tokens. Whatever it is, it needs to be implementable in both PHP and ActionScript.
For example, in ActionScript, you might calculate a numeric token based on the user id, numeric values of characters in the name, components of the time, and a secret number (known as a salt). When you send the request to your PHP script, include the token along with the other variables. In PHP, calculate another token using the same rules, and compare the two tokens. If the tokens are the same, you can be confident that the request has not been tampered with.
Be aware that it may be possible to decompile Flash applications; so change the salt as often as practical.
Re: protect php post
Posted: Sun Nov 21, 2010 2:30 am
by Bind
you can use php to create flash now programatically.
the token idea (shared seed) is an excellent approach as well as keyed encryption/decryption of any streaming data..
that way it will be unique for each request, comparable against databased values, and harder to reverse engineer.
additionally, when posting back high scores you want to use encryption with a unique key for ever request.
I had similar concerns with some gambling sites I was contracted to develop based on a flash animation front end for various casino games. My approach was to complete every critical and compromisable computation server side then send results to the flash front end with the server databasing the results ahead of time, therefore eliminating the ability of any user cheating.
For fool proof anti-cheat gaming, I would recommend the latter system. As long as your servers are secure, the system is secure.