...

View Full Version : Security



Ndogg
02-20-2012, 04:28 AM
So I made a game that isn't connected to the internet. But when the game ends, it opens up my website to send the users game scores to my website.

It will first go here...

mysite.com/update.php?userlevel=10

then I used mysql_query to insert the userlevel into the db and it redirects the user to my real site.

But, this means that someone could easily figure out that link above and insert a level they really didn't earn.

I can't figure out how to make it so they can't insert there own information. Does anyone have any ideas?

The only thing I can think of to help prevent this is to make it so they can only access the update page once every hour or something, but that still doesn't completely fix it.

cercos
02-20-2012, 08:31 AM
try sending the info with POST instead of GET

Ndogg
02-20-2012, 08:33 AM
I can't, the info has to be sent from the game to the url bar.

tangoforce
02-20-2012, 09:28 AM
When a user starts playing the game, you could get a token from the website (create it using uniqid() ) and then when the game ends the game transmits that token back with the score.

Ultimately though, using $_POST would be a wiser choice but even that is hackable.

You could also use the token as an encryption if you can find some encryption code that will run in your game. Take the last 2/3 digits from the token and use them as a key to encrypt / decrypt the data before it's sent to your website. That would have most people pretty stumped for a while but even that is crackable although it will make life much harder for most.

Ndogg
02-20-2012, 10:05 AM
For the first suggestion:
I could possibly do that, but if the site/host goes down for that second that the game is getting the token, then there scores wouldn't be updated. I don't know, its kinda complicated with the way I have to retrieve stuff from the internet through the game, it doesn't really work out great.

Second:
I thought of doing that, but it isn't completely secure. This will probably be the next thing I do since it is better than what I got, but I am hoping to find a way that won't be beaten by someone that doesn't know how to hack.

tangoforce
02-20-2012, 10:40 AM
Well for the first, if the website goes down then the game scores are lost anyway. That being the case you might as well have the game (I'm assuming this is flash based?) record he scores somewhere and als be able to auto generate its own unique token and submit them if its unable to obtain them. It'll be a rarely used feature so the odds would be smaller of a hacker finding it with a packet sniffer (though not impossible). That said, if contact with the server is down, you could always just stop the game from running and display an error message.

Second you might want to look into transmitting your data over an SSL connection instead.

Ndogg
02-23-2012, 04:57 AM
Sorry, I got distracted with something else and forgot to check this...

I am not using flash, I am using game maker 8.1, not great but it works. That is true though, if the website is down then the scores wouldn't be recorded. But the scores are recorded at the end of the game, so if it checks for a token at the beginning while the site is down, at the end the site will probably be up without a token. But really that isn't a big deal and can be changed to work.

tangoforce
02-23-2012, 11:16 AM
Game maker.. I seem to remember trying that once many moons ago.. I should take another look at it. Thanks for the reminder.

Good luck with your project :thumbsup:

Ndogg
02-24-2012, 12:50 AM
No problem :p

You can check out my game if you want :)

Evolution - The Beginning (http://sandbox.yoyogames.com/games/194293-evolution---the-beginning)
My Website for the Game (http://evolution.host22.com/index.php?page=Home)



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum