Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 9 of 9

Thread: Security

  1. #1
    Regular Coder
    Join Date
    Jun 2009
    Posts
    278
    Thanks
    78
    Thanked 2 Times in 2 Posts

    Security

    So I made a game that isn't connected to the internet. But when the game ends, it opens up my website to send the users game scores to my website.

    It will first go here...

    mysite.com/update.php?userlevel=10

    then I used mysql_query to insert the userlevel into the db and it redirects the user to my real site.

    But, this means that someone could easily figure out that link above and insert a level they really didn't earn.

    I can't figure out how to make it so they can't insert there own information. Does anyone have any ideas?

    The only thing I can think of to help prevent this is to make it so they can only access the update page once every hour or something, but that still doesn't completely fix it.

  • #2
    New Coder
    Join Date
    Feb 2012
    Posts
    40
    Thanks
    0
    Thanked 9 Times in 9 Posts
    try sending the info with POST instead of GET

  • #3
    Regular Coder
    Join Date
    Jun 2009
    Posts
    278
    Thanks
    78
    Thanked 2 Times in 2 Posts
    I can't, the info has to be sent from the game to the url bar.

  • #4
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,309
    Thanks
    58
    Thanked 525 Times in 512 Posts
    Blog Entries
    5
    When a user starts playing the game, you could get a token from the website (create it using uniqid() ) and then when the game ends the game transmits that token back with the score.

    Ultimately though, using $_POST would be a wiser choice but even that is hackable.

    You could also use the token as an encryption if you can find some encryption code that will run in your game. Take the last 2/3 digits from the token and use them as a key to encrypt / decrypt the data before it's sent to your website. That would have most people pretty stumped for a while but even that is crackable although it will make life much harder for most.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • Users who have thanked tangoforce for this post:

    Ndogg (02-20-2012)

  • #5
    Regular Coder
    Join Date
    Jun 2009
    Posts
    278
    Thanks
    78
    Thanked 2 Times in 2 Posts
    For the first suggestion:
    I could possibly do that, but if the site/host goes down for that second that the game is getting the token, then there scores wouldn't be updated. I don't know, its kinda complicated with the way I have to retrieve stuff from the internet through the game, it doesn't really work out great.

    Second:
    I thought of doing that, but it isn't completely secure. This will probably be the next thing I do since it is better than what I got, but I am hoping to find a way that won't be beaten by someone that doesn't know how to hack.

  • #6
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,309
    Thanks
    58
    Thanked 525 Times in 512 Posts
    Blog Entries
    5
    Well for the first, if the website goes down then the game scores are lost anyway. That being the case you might as well have the game (I'm assuming this is flash based?) record he scores somewhere and als be able to auto generate its own unique token and submit them if its unable to obtain them. It'll be a rarely used feature so the odds would be smaller of a hacker finding it with a packet sniffer (though not impossible). That said, if contact with the server is down, you could always just stop the game from running and display an error message.

    Second you might want to look into transmitting your data over an SSL connection instead.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • Users who have thanked tangoforce for this post:

    Ndogg (02-23-2012)

  • #7
    Regular Coder
    Join Date
    Jun 2009
    Posts
    278
    Thanks
    78
    Thanked 2 Times in 2 Posts
    Sorry, I got distracted with something else and forgot to check this...

    I am not using flash, I am using game maker 8.1, not great but it works. That is true though, if the website is down then the scores wouldn't be recorded. But the scores are recorded at the end of the game, so if it checks for a token at the beginning while the site is down, at the end the site will probably be up without a token. But really that isn't a big deal and can be changed to work.

  • #8
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,309
    Thanks
    58
    Thanked 525 Times in 512 Posts
    Blog Entries
    5
    Game maker.. I seem to remember trying that once many moons ago.. I should take another look at it. Thanks for the reminder.

    Good luck with your project
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • Users who have thanked tangoforce for this post:

    Ndogg (02-23-2012)

  • #9
    Regular Coder
    Join Date
    Jun 2009
    Posts
    278
    Thanks
    78
    Thanked 2 Times in 2 Posts
    No problem

    You can check out my game if you want

    Evolution - The Beginning
    My Website for the Game


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •