0

My application calls external PHP files to retrieve and submit information to an SQL database. Each request made is visible in the developer panel of what I assume to be any browser, and can easily be re-executed manually. It is my understanding that trying to detect the "source" of the request is not the right way to go about restricting manual invocation of scripts.

My main reason for wanting to prevent re-execution of these scripts is that they could either lead to the user giving themselves more than they've earned (UPDATE user_scores SET score = score + x) or returning themselves to a previous state as many times as they want (UPDATE user_scores SET score = x).

What is a tried and true method of ensuring that a query within a script that is only intended to execute once is executed the first time and never again?

Community
  • 1
  • 1
Johnny Cage
  • 37
  • 4
  • Not making the query available after the first time? Usually this works out as a set of flags. once you detected the flag as being active, you would like to not do anything after :) – Xnoise Dec 27 '12 at 19:33
  • maybe nonce? http://stackoverflow.com/questions/4145531/how-to-create-and-use-nonces – mtrbean Dec 27 '12 at 20:27

1 Answers1

1

You should never rely on client-side controls like this. Your PHP script should be checking who the user is, and validating that they should 'get' whatever it is they are getting, before doing it.

What ever code you are running that is calculating that score in the first place should be where your UPDATE code is... it should never leave the server.

Andrew Barber
  • 39,603
  • 20
  • 94
  • 123