security problems with passing javascript variable to a php variable

Question

Possible Duplicate:
Preventing fraudulent submission to a scoreboard
Prevent Cheating on Javascript Game

i've found a way to pass my javascript variables to a php variable by using this:

window.location.href = ".../gameover.php?points=" + points+"&speed="+window.speed;

in the gameover.php site i use

$_GET[speed]   // and 
$_GET[points]

to access my variables. these values then get stored into a database as hiscores. but here comes my problem: if the user just types for example

.../gameover.php?points=500000&speed=85

in the address bar it also stores these variables.

i have found something that helps avoiding this but you can still get around it. on my main page i make a cookie 'notcheated' and if the user visits the page and notcheated isset then it destroys the cookie and stores the values in my hiscores but if the user visits the main page and then enters the above address for example then the cookie isset but he hasn't played the game and then the values are also stored.

does someone have any suggestions to secure my site so that people can't just enter their own hiscores.

edit: i have tried to do it with a javascript post but that didn't work. maybe i did something wrong could someone please show me an example on how i should do that?

Answer 1

The only way to prevent this is to have the game logic executed on the server side, within your PHP code. If you send any points value from the client to the server, the user can cheat.

Example:

/sell.php?money=10

The above can be hacked, by changing 10 to 1000000. Instead, consider this:

/sell.php?itemid=1234

The server then handes the removal of the item from the player's inventory, and adds the appropriate amount of money to their account.

Answer 2

if your game is entirely based on javascript then few can be done, except for goofing around with patches; an advanced user will always get a highscore.

if your game SEND some ajax from time to time (while in a game) you can take these info and put them in $_SESSION, thus using them also for updating the game. if an abnormal value sent in between ajax calls, then user hacked somehow.

At the end you can use those $_SESSION-ed values instead of harmful URLs. Cookies can also be disabled in user's browser, dont count so much on them.

Answer 3

You could at least limit possible cheating to advanced users by sending a POST request - which is not displayed in the addressbar: https://stackoverflow.com/a/133997/1106393

function post_to_url(path, params, method) {
    method = method || "post"; // Set method to post by default, if not specified.

    // The rest of this code assumes you are not using a library.
    // It can be made less wordy if you use one.
    var form = document.createElement("form");
    form.setAttribute("method", method);
    form.setAttribute("action", path);

    for(var key in params) {
        if(params.hasOwnProperty(key)) {
            var hiddenField = document.createElement("input");
            hiddenField.setAttribute("type", "hidden");
            hiddenField.setAttribute("name", key);
            hiddenField.setAttribute("value", params[key]);

            form.appendChild(hiddenField);
         }
    }

    document.body.appendChild(form);
    form.submit();
}

But that is a poor solution, since it is pretty easy to fake as well.

An other solution would be to encode the values before sending them. So it is not obvious what they mean. Check out "Javascript Base64 Encode/Decode" in Google for example:

value='1234'      // plain
value='MTIzNA=='  // base64-encoded

A JavaScript-function for base64-encoding can be found here: https://stackoverflow.com/a/133997/1106393

On the server you would use the following:

$speed = base64_decode($_POST['speed']);

http://www.php.net/manual/en/function.base64-decode.php