1

so i have a problem, i have this code:

$params = "'plname=" . $player->username . "&plmiss=" . $player->miss . "&plmaxdmg=" . $player->maxdmg . "&plmindmg=" . $player->mindmg . "&plhp=" . $player->hp . "&plmhp=" . $player->maxhp; 
        $params .= "&enname=" . $enemy->username . "&enmiss=" . $enemy->miss . "&enmaxdmg=" . $enemy->maxdmg . "&enmindmg=" . $enemy->mindmg . "&enhp=" . $enemy->hp . "&enmhp=" . $enemy->hp . "'";
        buttonform("pvm.php","Attack",$params);

buttonform function:

function buttonform($page,$texto,$params)
    {
    ?><input type="button" onclick="ajaxpost('menu','<?php echo $page;?>',<?php echo $params;?>);" class="button" value="<?php echo $texto;?>"><?
    }

so you guessed it the function will create a button that when be clicked will send an ajax request for the pvm.php + $params.

but the problem is that $params is confidential and should not be avaiable to change. but if we enter in the page code (ive done this with google chrome developer tools) we can change those variables to what we want, and that is what i dont want. if anyone can help me to make those variables not avaiable for change, THANKYOU!

Lordareon
  • 75
  • 6
  • You really can't encrypt client-side DOM information in a way that protects it from a resourceful user. – Jake Jan 13 '11 at 21:10

1 Answers1

1

Anything loaded into the user's browser is available for change. You'll have to store that information server-side.

To that end, take a look at PHP sessions:

http://www.w3schools.com/PHP/php_sessions.asp

http://www.php.net/manual/en/book.session.php

Jake
  • 4,829
  • 2
  • 33
  • 44
  • hummm and if i create a table in mysql using the Memory storage engine, doing this every 4 or 5 seconds by 20 persons at same time will have an HEAVY inpact to performance? – Lordareon Jan 13 '11 at 21:03
  • I don't believe $_SESSION variables get stored in a database at all. See: http://stackoverflow.com/questions/454635/where-are-session-variables-stored – Jake Jan 13 '11 at 21:06
  • Sure, just like normal PHP variables. The difference is PHP will remember $_SESSION variables after a page reload, and they follow the user's web browser session. Here's the syntax: http://www.php.net/manual/en/function.session-start.php – Jake Jan 13 '11 at 21:12
  • whatever so in this case its better to store on a table in mysql using the Memory storage engine? i mean, most secure and fast? – Lordareon Jan 13 '11 at 21:13
  • I know nothing about the Memory storage engine. Your question was about making variables unavailable for change. The simplest and most straightforward method I am aware of is session variables. Routing everything to a MySQL database adds a layer of complexity, but I can't say one way or the other which method would be more secure and fast. – Jake Jan 13 '11 at 21:26
  • well i know that Memory Storage engine tables are stored in memory. They use hash indexes by default, which makes them very fast, and very useful for creating temporary tables. However, when the server shuts down, all rows stored in MEMORY tables are lost. The tables themselves continue to exist because their definitions are stored in .frm files on disk, but they are empty when the server restarts. i know my intent but i need to pass something as parameter on that ajax that is not a variable, may be a constant the the php code will get and then change. – Lordareon Jan 13 '11 at 21:30
  • I think I understand, but we're getting outside of my area of expertise. I'm an application developer, and this is creeping into the sysadmin realm. – Jake Jan 13 '11 at 21:33
  • thanyou for you help and attention =D – Lordareon Jan 13 '11 at 21:37