1

I'm trying to make a game using ajax and php, but i'm pretty new to it.

First off they have to choose the difficulty. Let's say someone chooses easy.

function clickedEasy() {
    $.post("game.php", {
        clicked: "easy"
    }, function (data, status) {
        console.log(data);
    });
}

Game.php:

if (isset($_POST['clicked'])) {
    if ($_POST['clicked'] == 'easy') { //Assign difficulty
        $difficulty = 1;
    } elseif ($_POST['clicked'] == 'medium') {
        $difficulty = 2;
    } elseif ($_POST['clicked'] == 'hard') {
        $difficulty = 3;
    }
$difficulty = $_SESSION['difficulty'];
echo ($difficulty);
}

Now imagine he is one step away from finishing the game and goes too the console and pastes $.post("game.php", {clicked: "hard"}, function (data, status) {console.log(data);}) he can finish the game and claim the hard difficulty reward. This is just an example, much more can be done using the browser console and the sources. I don't understand how can I avoid these types of cheats.

Thanks.

Dave
  • 53
  • 1
  • 5
  • 2
    This is like worrying about the tight fairway on the 11th hole of the Masters when you haven't learned how to hit the ball yet. Just make a game. – Jared Smith May 20 '18 at 20:37
  • Possible duplicate of [Prevent Cheating on Javascript Game](https://stackoverflow.com/questions/7171101/prevent-cheating-on-javascript-game) – Jared Smith May 20 '18 at 20:38
  • 1
    Save the difficulty server side and don't let it be changed later. – Reeno May 20 '18 at 20:39

2 Answers2

2

A simple way to stop this would be to check if the difficulty was already set.

For example:

if (isset($_POST['clicked']) && !isset($_SESSION['difficulty'])) {
...
}

or if you're storing this in a database, check if it is already set there.

Remember, anything in javascript can be edited and thus can be used to cheat, anything in PHP can not. Using AJAX (using javascript to call PHP), allows the user to use javascript to edit PHP opening an attack vector. Using session variables and only using php to edit them is the way to make sure a user does not cheat.

edit: you could also hash the values you don't want changed and keep the key only on the server. This is more complicated to implement but it does mean less work for the server in the long term.

Jacob Sussan
  • 104
  • 7
0

Not something you should be worried about. But a way would be to track his progress using cookies/sessions. If the progress session is already set then don't do an update.

if (isset($_POST['clicked']) && !isset($_SESSION['in_progress'])) {
    if ($_POST['clicked'] == 'easy') { //Assign difficulty
        $difficulty = 1;
    } elseif ($_POST['clicked'] == 'medium') {
        $difficulty = 2;
    } elseif ($_POST['clicked'] == 'hard') {
        $difficulty = 3;
    }
// Set a progress session
$_SESSION['in_progress'] = true;
$difficulty = $_SESSION['difficulty'];
echo ($difficulty);
}else{
  // Just return the difficulty from the session
  echo $_SESSION['difficulty'];
}
Ikhlak S.
  • 8,578
  • 10
  • 57
  • 77