-1

i Have created an php file which will Update the scores to database.For example : http://domain.com/heli/test.php?id=100001181378824&score=50000

Test.php contains below code 

mysql_connect(localhost,$user,$password);
$id = mysql_real_escape_string($_GET['id']);
$score = mysql_real_escape_string$_GET['score']);
@mysql_select_db($database) or die( "Unable to select database");
$query = "UPDATE heli SET score = '$score' WHERE app = '$id'";
echo $query;
$result=mysql_query($query);
mysql_close();

I Want to know how to Do Get or post Request to My test.php Via Javascript in secure way.Right Now i have created below Js.

 var httpwp = new XMLHttpRequest();
 var urlwp = "http://domain.com/heli/test.php?id=100001181378824&score=50000";
 var paramswp = "id="+ids+"&score="+scores+";
 httpwp.open("GET", urlwp, true);
 httpwp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
 httpwp.setRequestHeader("Content-length", paramswp.length);
 httpwp.setRequestHeader("Connection", "keep-alive");
 httpwp.send(paramswp);

But how to do Post or Get Request securely with authentication key etc ?

Vishnu Vishwa
  • 210
  • 1
  • 2
  • 8
  • 1
    What exactly do you mean by "secure" - you mean so it can't be manipulated on client side? That's a non-trivial problem. – Pekka Feb 22 '13 at 11:46
  • 4
    Your PHP code is leaving your database wide open. – Blender Feb 22 '13 at 11:46
  • Also I'd suggest refactoring your code so the score is calculated and set server side. Most straightforward way to solve your problem. – Mahn Feb 22 '13 at 11:47
  • 1
    Ooh! An invitation to [inject some SQL](http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php)! – Martijn Feb 22 '13 at 11:48
  • Thats not my complete test.php – Vishnu Vishwa Feb 22 '13 at 11:50
  • Why -1 ? whats wrong with you guys ? – Vishnu Vishwa Feb 22 '13 at 11:53
  • hmmm noobs gets -1 ??? :( – Vishnu Vishwa Feb 22 '13 at 11:53
  • 1
    You left much to debate, for example what is "secure" way in your text. Also, the way you type (capital letters for random reasons) is probably frowned upon since it makes you look uneducated. Considering there are tons of spell checkers, they're even included in nearly all modern browsers - it just seems like you don't care. – N.B. Feb 22 '13 at 11:55
  • possible duplicate of [Secure communication between JavaScript and a Web service in PHP](http://stackoverflow.com/questions/7860238/secure-communication-between-javascript-and-a-web-service-in-php) – Martijn Feb 22 '13 at 11:57
  • I suppose that the procedure of submitting the scores could be done by (a) making a request to the server for a token (the token should be stored temporarily on the server) (b) using that token to encrypt/transform the score in the browser (c) submitting the transformed score to the server (d) using the stored token to 'untransform' the score (e) adding the score to the database. This would ensure that people cant submit any score they like and it would enforce upon you the need to sanity-check the data before trying to enter it into the database. No more "bobby tables" (google it) – enhzflep Feb 22 '13 at 12:00

2 Answers2

1

You never can be sure for data which clients submit.

To make this more "secure" you must write some logic on your server, on how that score calculated.

For example. Lets say that you start the game now and after 3 seconds you submit 1000 points. Is that possible?

You must create some steps or limits, for example, if player is on level 1 the score cant be more than 100 points and cant be submited before 1 minute gameplay. And so on!

Good luck.

Oden
  • 756
  • 8
  • 21
1

1.First, fix your PHP code so you are not vulnerable to SQL Injection.

2.Next, access your server via https instead of http.

3.Add a php file to accept a login request for a name and password which will return a unique session key. ( a large random number could be good enough, or a sha1 hash of random data + some data in the request)

4.Store this number in a serverside database along with the date it was issued.

6.Make your app get a session key from this file before uploading the score.

7.Make your score saving php file accept your session key along with the score data and compare it against the database to see if its valid, and not too old (check the issue date).

8.Store a new session key and return it with the result of the score update, and remove the old session key from the database.

9.Make your js use the new key in later posts, each time getting a new one form the server.

10.Build in sanity checks in your php app to check for ridiculous and impossible scores. Also check for large scores achieved too quickly.

Tim De Lange
  • 739
  • 3
  • 6