-1

i Have created an php file which will Update the scores to database.For example : http://domain.com/heli/test.php?id=100001181378824&score=50000

Test.php contains below code 

mysql_connect(localhost,$user,$password);
$id = mysql_real_escape_string($_GET['id']);
$score = mysql_real_escape_string$_GET['score']);
@mysql_select_db($database) or die( "Unable to select database");
$query = "UPDATE heli SET score = '$score' WHERE app = '$id'";
echo $query;
$result=mysql_query($query);
mysql_close();

I Want to know how to Do Get or post Request to My test.php Via Javascript in secure way.Right Now i have created below Js.

 var httpwp = new XMLHttpRequest();
 var urlwp = "http://domain.com/heli/test.php?id=100001181378824&score=50000";
 var paramswp = "id="+ids+"&score="+scores+";
 httpwp.open("GET", urlwp, true);
 httpwp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
 httpwp.setRequestHeader("Content-length", paramswp.length);
 httpwp.setRequestHeader("Connection", "keep-alive");
 httpwp.send(paramswp);

But how to do Post or Get Request securely with authentication key etc ?

Improve this question
10
  • 1
    What exactly do you mean by "secure" - you mean so it can't be manipulated on client side? That's a non-trivial problem. Commented Feb 22, 2013 at 11:46
  • 4
    Your PHP code is leaving your database wide open. Commented Feb 22, 2013 at 11:46
  • Also I'd suggest refactoring your code so the score is calculated and set server side. Most straightforward way to solve your problem. Commented Feb 22, 2013 at 11:47
  • 1
    Ooh! An invitation to inject some SQL! Commented Feb 22, 2013 at 11:48
  • 1
    You left much to debate, for example what is "secure" way in your text. Also, the way you type (capital letters for random reasons) is probably frowned upon since it makes you look uneducated. Considering there are tons of spell checkers, they're even included in nearly all modern browsers - it just seems like you don't care. Commented Feb 22, 2013 at 11:55

2 Answers 2

Reset to default
1

You never can be sure for data which clients submit.

To make this more "secure" you must write some logic on your server, on how that score calculated.

For example. Lets say that you start the game now and after 3 seconds you submit 1000 points. Is that possible?

You must create some steps or limits, for example, if player is on level 1 the score cant be more than 100 points and cant be submited before 1 minute gameplay. And so on!

Good luck.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

1.First, fix your PHP code so you are not vulnerable to SQL Injection.

2.Next, access your server via https instead of http.

3.Add a php file to accept a login request for a name and password which will return a unique session key. ( a large random number could be good enough, or a sha1 hash of random data + some data in the request)

4.Store this number in a serverside database along with the date it was issued.

6.Make your app get a session key from this file before uploading the score.

7.Make your score saving php file accept your session key along with the score data and compare it against the database to see if its valid, and not too old (check the issue date).

8.Store a new session key and return it with the result of the score update, and remove the old session key from the database.

9.Make your js use the new key in later posts, each time getting a new one form the server.

10.Build in sanity checks in your php app to check for ridiculous and impossible scores. Also check for large scores achieved too quickly.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.