2

I'm trying to get a javascript function to call a PHP function to write a text file to my web server so i can store simple data for my game without using databases. But this will allow random people to call that function from the console (opened by pressing F12) and therefor write files to my web server.

Is there any way to fix this? Is everything wrong and do i have to start all over? Or is it just not possible?

My current code:

test.html:

<script src="js/php.js"></script>
<button onclick="phpFunc('test.php', 'write(\'Hello, World!\')', alertText);">test</button>

js/php.js:

function getReq() {
    var req = false;
    if (XMLHttpRequest) req = new XMLHttpRequest();
    else {
        try {
            req = new ActiveXObject("Msxml2.XMLHTTP");
        } catch(e) {
            try {
                req = new ActiveXObject("Microsoft.XMLHTTP");
            } catch(e) {
                return false;
            }
        }
    }
    return req;
}

function phpFunc(url, func, success) {
    sfunc = func.split(")")[0].split("(");
    rfunc = sfunc[0];
    rparams = sfunc[1];

    var req = getReq();
    if (!req) return false;
    req.onreadystatechange = function() { if (req.readyState == 4 && req.status === 200) success(req.responseText); }
    req.open("GET", url + "?t=" + Math.random() + "&func=" + rfunc + "&params=" + rparams, true);
    req.send();
}

function alertText(text) {
    alert(text);
}

test.php:

<?php
    function write($text) {
        $file = fopen("test.txt", "w"); 
        fwrite($file, $text);
        fclose($file);
    }

    {
        $func = $_GET["func"];
        $params = explode(", ", $_GET["params"]);
        for ($i = 0; $i < count($params); $i++) {
            if (is_numeric($params[$i])) $params[$i] = (int)$params[$i];
            else $params[$i] = str_replace(array("\"", "'"), "", $params[$i]);
        }
        call_user_func_array($func, $params);
    }
?>

Also english is not my first language so i'm not sure if everything was typed correctly.

DutChen18
  • 1,133
  • 1
  • 7
  • 24
  • Verify their identity then use a session cookie and/or access token. – chRyNaN Apr 28 '15 at 00:31
  • 1
    There is no security on clientside. Whatever your code does in the browser can be replicated in a console, with varying degrees of difficulty. There are things you can do to make it harder (access token, as @chRyNaN says), but ultimately, your code is on display, and can be modified at will for any purpose. The only foolproof (but expensive) way is to have everything of consequence happen on server, like some MMOs do. – Amadan Apr 28 '15 at 00:33
  • @Amadan is correct. All code needed to be secure should be executed on the server. An access token is just to verify the users identity on the server so it can decide whether or not to perform the task. – chRyNaN Apr 28 '15 at 00:41

2 Answers2

2

Never trust a client app.

JavaScript apps are much easier to abuse than compiled apps, because the tools to manipulate JavaScript are more accessible to more people.

If at all possible, have your web server interface only allow the client to report the actions that are taken in the game, and have the server be responsible for determining and recording the result. You can also apply a "reasonableness" check to the actions that the client reports.

You can make it harder for people to cheat using JavaScript obfuscation. That is not a silver bullet, but it will reduce the pool of people that have the skill to exploit a JavaScript interface to manipulate the game.

Eric J.
  • 147,927
  • 63
  • 340
  • 553
  • I totally forget that i made this thread, now more than one year later i found it. I've created my own web server in java now wich runs javascript serverside and i stopped coding my game because it was very boring and i didn't know what else to add. So even though my question and it's answer aren't really relevent to me anymore in the specific case i gave in the question. This would've been the right answer – DutChen18 Jul 05 '16 at 01:35
0

Authentication would make it so that only the logged on user could get access to write to the file.

You could also verify what ajax sends so that only what you whitelist is written.

Community
  • 1
  • 1
SuperCarlos
  • 1
  • 1