0

I am trying to create a game leaderboard website which will contain people's highscores from different games.

I have 3 tables users, games and gamedata.

The columns are as follows.

  • users : id | name

  • games : id | title | owner_id

  • gamedata : user_id | game_id | highscore

I have a Javascript api which third party game developers use to create a submit score button in their game.

When they send me data I receive them using $_POST and query it in my game_data table using " Insert into game_data(user_id, gameid, highscore) values('$_session['user_id']', '$gameid', '$score')"

Now as you know anyone can send me fake data of $gameid and $score.

Since I have no control over those two datas on my server how is it possible to ensure the security of sent data from third party sites?

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Chaks
  • 1
  • 2
  • Try [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) and [this stack issue](http://stackoverflow.com/questions/12457234/encrypt-in-javascript-decrypt-in-php-using-public-key-cryptography) – morels Feb 16 '16 at 11:26
  • How can I use it in my case @morels? – Chaks Feb 16 '16 at 11:33
  • Simply follow the stack overflow example. Various games should encrypt the data to be submitted with their private key and then post it. You should deploy a php server that after it has listened a new post request it decrypts the message with one's public key and process data as you need. This way you are sure of the identity of the submitter. – morels Feb 16 '16 at 12:27
  • You cannot prevent the user uploading fake scores. You can add obfuscation to slow some users down but ultimately preventing cheating entirely is fundamentally impossible. On the other hand, you *do* at least need to change to using parameterised queries, because you are currently vulnerable to SQL injection, a much more serious threat. – bobince Feb 16 '16 at 20:50

1 Answers1

1

What do you mean by ensuring security?

Given you example, I would:

1) Sanitise the data. As a general rule, NEVER TRUST THE USER DATA.

2) Validate the data by looking at the database and checking whether $gameid is actually a record that exists on the table.

3) Make sure you validate the given $score within an accepted range.

4) Prepare your query to avoid SQL-injection.

5) Optional: Use SSL (you can get free certificates with Letsencrypt)

6) If you can, move most of the logic on the server-side. Let the client just send actions, and do the logic server-side where you have granular control over the data and actions.

Nicholas Valbusa
  • 339
  • 1
  • 7