whackaxe
09-07-2002, 01:28 PM
i have just asked this question but now im looking at the problem at a larger scale. what i am doing is a single player RPG where the user uses a javascript interface and when he need an action, what happens is that the page calls itself (PHP_SELF) with the GET method for the moment but the problem is the same with POST, for example: when the person chats to a computer controlled user
<a href="engine.php?inst=dial¶1=diana">chat to diana</a>
that will reload the page with the chat to diana initialized. now diana is a very nice person who just says hi but what about if the user uses "inst=level_up". no you see that the user will be able to controll his user arbitrarily which wront be good!
so i was wandering of a way to verify that the user is still on the server because i imagined that what the guy could do is sign in then go to a page on his HD and send in the form (get or post) and it would execute his commands which is lame.
could someone tell me how to get round this threat (apart from abandon the project which is ut of the question :p) i hope ive been clear
<a href="engine.php?inst=dial¶1=diana">chat to diana</a>
that will reload the page with the chat to diana initialized. now diana is a very nice person who just says hi but what about if the user uses "inst=level_up". no you see that the user will be able to controll his user arbitrarily which wront be good!
so i was wandering of a way to verify that the user is still on the server because i imagined that what the guy could do is sign in then go to a page on his HD and send in the form (get or post) and it would execute his commands which is lame.
could someone tell me how to get round this threat (apart from abandon the project which is ut of the question :p) i hope ive been clear