0

I've built a simple game using Javascript and PHP. Once the user hits the target score, they are allowed to add their name to a highscore mysql database. I'm using PHP POST to get their score and add it to mysql.

After someone get's a highscore and enters their name, it resets the score variable back to zero and redirects them back to the main game page with header('location'). If they hit the back button once, all is good, it shows their score is zero since I reset the variables. However if they hit the back button twice it brings up their high score and they can enter their name again and flood the highscore database with their name.

Anyway to prevent this?

m1xolyd1an
  • 535
  • 5
  • 18
  • Add some server side validation to validate if the high score is already submitted. – JimL Sep 21 '14 at 18:54
  • @JimL Ok thanks, any references you can point me to that might elaborate on how to do this? – m1xolyd1an Sep 21 '14 at 18:56
  • Create a [unique id](http://php.net/manual/en/function.uniqid.php) in a session for a game that is played. When they submit a score, submit the unique id along with it and then generate a new one. If they try to submit again, check that the id being submitted hasn't already been used. – Luke Sep 21 '14 at 19:00
  • Thanks @Doctus I like this idea, and will give it a try. I'm thinking generating a random sha1 hash in php with each session? – m1xolyd1an Sep 21 '14 at 19:08
  • If you generate a sha1 hash each time you have to still generate something different to hash and hope for no collisions. If you use the uniqid function it bases the resultant string on the current time, so it is far far less likely to ever be repeated – Luke Sep 21 '14 at 19:34
  • @php_nub_qq "needlessly complex and unreliable"..? in what way is storing the score in the session variable going to help OP stop duplication of scores or resubmission? – Luke Sep 21 '14 at 19:36
  • @Doctus Thanks this worked perfectly! Didn't take long, just had to add $session = uniqid(); to the main game page and then call that once they get to the highscore page and this prevents them from double posting their score. – m1xolyd1an Sep 22 '14 at 01:22

1 Answers1

3

You need to check for at least one identifying feature of the user and check if they have submitted a score before serving up the form. There are various ways you can do this, each with their own weaknesses, so it's best to mix and match, however some off the top of my head include:

  • Checking that a person with the same IP and user-agent string hasn't submitted a highscore in the last x minutes (though this may prevent some legit scores from being submitted - think a school / office using same browser and having same ip)

  • Putting a tracking cookie on arrival with an identifying user id. Then checking that user id hasn't submitted a score in the last x minutes. (e.g. start a PHP session if you want)

  • Adding a cookie to the browser after score submit, then checking for this cookie before serving up the form (yes, it can be easily worked around by deleting the cookie). Alternatively You could set a value in the session)

user3791372
  • 4,445
  • 6
  • 44
  • 78
  • Thanks I'm going to use your idea combined with Doctus' comment of generating a unqique string with each session – m1xolyd1an Sep 21 '14 at 19:10