1

I am making a game with PHP and jQuery, but I have some problems with security. It's a typing game, and when player types combination correctly, jQuery sends ajax request to PHP and PHP adds 10 points to session. Here is my code:

$('body').on('keyup','.codes_input',function() {
    if($('.codes_input').val() == $('.code').html()) {
        $.post(url+'/save_results',{_token:token});
        points=points+10;
        $('.code').html(randomString());
        $('.codes_input').val('');
        $('.points').html(points);
    }
});

However, my friends could simply do many such $.post(url+'/save_results',{_token:token});requests in chrome extention (if I understood correctly) and got 1000 or even more points (cheating). Is there a way to avoid this? I can't find other way of programming this... Thanks for your help, sorry for my poor english :)

Improve this question

2 Answers 2

Reset to default
2

Move the logic of evaluating and awarding points to you PHP layer.

Use the jQuery with HTML Websockets just to submit the answer .

As an example architecture, you can have a look at the following:

  1. Javascript and PHP for real-time multiplayer <- Join this SE network
  2. Real Time Multiplayer in HTML5
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Javascript can always be seen by the user, so you cannot really build a secure application like this. The way to go would be to check via Javascript whether the code is correct (as you already do), and then send the code to the PHP script and validate it there as well.

Improve this answer

8 Comments

you mean sending code and input to php file and check there?
Yes, and then you return something like a boolean back to Javascript to give graphical feedback to the user. jQuery's $.post can handle that as well, you could for example encode it via JSON.
but if attacker can use that $.post in my way, he also can send correct code (var code=$('.code').html();) and php will return true, so result will be same as mine, or I don't understand something? :?
You would have to remove the .code element as well. Even without any post requests the user could simply look at your site via e.g. FireBug, find the value and enter it into your input field.
and what if i stop game on blur then?
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.