4

I have a simple HTML5 Canvas game and at the end of a part I want to store variables in MySQL. Is it secure to do this with XMLHttpRequest, Ajax or anything? This is how I started to write it:

var request = new XMLHttpRequest();
request.onreadystatechange = function() {
    if (request.readyState == 4 && request.status == 200) {
        var success = request.responseText;
        alert(success);
    }
}
request.open('GET', 'saveLevel.php?name='+name+'&level='+level, true);
request.send();

My problem with this is that everyone can do this in console like this:

var request = new XMLHttpRequest();
request.onreadystatechange = function() {
    if (request.readyState == 4 && request.status == 200) {
        var success = request.responseText;
        alert(success);
    }
}
request.open('GET', 'saveLevel.php?name='+name+'&level=100', true);
request.send();

(How) can I solve it?

Tamás
  • 950
  • 2
  • 10
  • 29
  • It's as secure as your PHP code, and your network connection – Mark Baker Sep 20 '15 at 13:15
  • What do you think is insecure about it? I have a feeling what you are talking about is not what other people think "secure" means. Yes anyone can call your php page without using your methods. Is that insecure? Not really, but you may think it is. – epascarello Sep 20 '15 at 13:18
  • 1
    You'll need to change your architecture a little. It is never safe if client decides on anything and makes the server obey. You will want to _notify_ the server about it and make it decide what to do. – DeDee Sep 20 '15 at 13:19
  • But if they know the name of the php file they can use it so they can edit the database easily. Why is it secure? – Tamás Sep 20 '15 at 13:23
  • You can make it a little tougher by using post instead of get. – Rasclatt Sep 20 '15 at 13:26
  • Why is that more secure? I have the same poblem with that: the file name is visible so they can use that. – Tamás Sep 20 '15 at 13:28
  • It is either secure or it isn't – Drew Sep 20 '15 at 13:29
  • 1
    Post MUST be the protocol used when posting data, and GET MUST be used when getting data. It's nothing but pragmatism and organisation. –  Sep 20 '15 at 13:30
  • 2
    You need to implement the security in your server-side PHP code, you should never rely purely on javascript, no matter what you do to it – Mark Baker Sep 20 '15 at 13:30
  • 2
    Problem is OP can't define secure. – Drew Sep 20 '15 at 13:32
  • So how is it possible to make it secure in the PHP file? – Tamás Sep 20 '15 at 13:32
  • 1
    Well start by validating that the person making the request has permission to do so, and to the records that they're making the request against – Mark Baker Sep 20 '15 at 13:35
  • How can I make it secret that what kind of person is he? I belive if it's fully public that he is what, it won't be hard to do it. – Tamás Sep 20 '15 at 13:41

1 Answers1

3

You can use the combination of Authentication, Obfuscation and Minification to secure you JavaScript Network Calls

  • Sample JS Obfuscator Library JScrambler

  • Sample JS Minification Library UglifyJS

  • Authentication-

    I assume,your API has some sort of authentication field (e.g. Hash/Token etc.). If not, you can integrate it with - This answer.

    • Make sure you use a salt, (or even API key) that is given to your JS client on a Session Basis. This way, you can prevent it from unauthorized access.
    • On the server side, remember the last few endpoint calls, and before allowing another one, check if your logic allows for the new one right now.

If you follow the steps above it will certainly make it very secure.

Community
  • 1
  • 1
Pankaj
  • 592
  • 7
  • 19