View Full Version : Security

02-20-2012, 04:28 AM
So I made a game that isn't connected to the internet. But when the game ends, it opens up my website to send the users game scores to my website.

It will first go here...


then I used mysql_query to insert the userlevel into the db and it redirects the user to my real site.

But, this means that someone could easily figure out that link above and insert a level they really didn't earn.

I can't figure out how to make it so they can't insert there own information. Does anyone have any ideas?

The only thing I can think of to help prevent this is to make it so they can only access the update page once every hour or something, but that still doesn't completely fix it.

02-20-2012, 08:31 AM
try sending the info with POST instead of GET

02-20-2012, 08:33 AM
I can't, the info has to be sent from the game to the url bar.

02-20-2012, 09:28 AM
When a user starts playing the game, you could get a token from the website (create it using uniqid() ) and then when the game ends the game transmits that token back with the score.

Ultimately though, using $_POST would be a wiser choice but even that is hackable.

You could also use the token as an encryption if you can find some encryption code that will run in your game. Take the last 2/3 digits from the token and use them as a key to encrypt / decrypt the data before it's sent to your website. That would have most people pretty stumped for a while but even that is crackable although it will make life much harder for most.

02-20-2012, 10:05 AM
For the first suggestion:
I could possibly do that, but if the site/host goes down for that second that the game is getting the token, then there scores wouldn't be updated. I don't know, its kinda complicated with the way I have to retrieve stuff from the internet through the game, it doesn't really work out great.

I thought of doing that, but it isn't completely secure. This will probably be the next thing I do since it is better than what I got, but I am hoping to find a way that won't be beaten by someone that doesn't know how to hack.

02-20-2012, 10:40 AM
Well for the first, if the website goes down then the game scores are lost anyway. That being the case you might as well have the game (I'm assuming this is flash based?) record he scores somewhere and als be able to auto generate its own unique token and submit them if its unable to obtain them. It'll be a rarely used feature so the odds would be smaller of a hacker finding it with a packet sniffer (though not impossible). That said, if contact with the server is down, you could always just stop the game from running and display an error message.

Second you might want to look into transmitting your data over an SSL connection instead.

02-23-2012, 04:57 AM
Sorry, I got distracted with something else and forgot to check this...

I am not using flash, I am using game maker 8.1, not great but it works. That is true though, if the website is down then the scores wouldn't be recorded. But the scores are recorded at the end of the game, so if it checks for a token at the beginning while the site is down, at the end the site will probably be up without a token. But really that isn't a big deal and can be changed to work.

02-23-2012, 11:16 AM
Game maker.. I seem to remember trying that once many moons ago.. I should take another look at it. Thanks for the reminder.

Good luck with your project :thumbsup:

02-24-2012, 12:50 AM
No problem :p

You can check out my game if you want :)

Evolution - The Beginning (http://sandbox.yoyogames.com/games/194293-evolution---the-beginning)
My Website for the Game (http://evolution.host22.com/index.php?page=Home)