I want to create a browser based game and I have a huge problem, the game can be easily hacked. The problem is at a page where you can go to "work", I store in a file the work ending date and the amount of money what you will receive after finishing the work. There are 4 type of works. The problem is that I use ajax to send to a php file the necessary information. The URL looks like this x.php?date=....&pay=.... The javascript part of the page calculates the date and the pay but if you simply enter in your URL bar x.php?date=anynumber&pay=99999 you will receive that 99999 dollars. What should I do ? And sorry for my bad english :)
+1
A:
You should not send the end date and amount from the client (browser). Instead send just the type of work: x.php?worktype=...
In the PHP file on the server side you read the type of work and then look up or calculate the end date and amount as necessary.
If you're interested in learning more about security in ajax applications I can also recommend the book "Ajax Security" by Hoffman and Sullivan.
Jakob Kruse
2010-04-25 10:30:06
Thanks, I think this will work
coolboycsaba
2010-04-30 08:11:33
A:
When the user interacts in your game to go to "work" store the values in a database server side?.
Francisco Soto
2010-04-25 10:31:21
The values are stored in a file on the server, each player has it`s own file
coolboycsaba
2010-04-25 10:52:05
Then don't pass the parameters in the URL, use a value in your user session and use that in your PHP to look up the file for your user and fetch values from there.
Francisco Soto
2010-04-25 10:59:37