I can't really think of any way to prevent it. Other than through some easy-to-defeat means that would only stop the casual cheater, I can't even think of any good way to widely deter it. Since the data comes from the user, they will always be able to manipulate it and abuse your system. If you want to stop the vast majority of cheating I think you probably need to go with a compiled language running through a browser plugin (Java, Flash, etc.).
My best guess for what to do with a pure js application is to encode the $_GET or $_POST string you send to the PHP page so it's not as simple as
. If you find a reversible way to encode it
(or even encrypt it with a shared key
- perhaps one that is generated randomly for each session but persists throughout a given session until that session sets a record, at which time the key changes - that way no two sessions would be likely to be able to use the same variable values to set a score and a user who set a score once wouldn't be able to resubmit the string to get a second high score) you could at least keep the totally uninitiated from cheating your system. If you obfuscate the variable names and functions and/or stuff the script inside an eval()
you could make it one step more inconvenient to cheat. But nothing will ever be even clost to bullet-proof.
So the question is: "Is the effort worth the benefit?" That's up to you.