I have a small JS game I wrote.
If the user is correctly logged in (with $_SESSION), at the end of the game I must send the "highScore" JS variable value to a PHP script that will write the high score (with a bunch of other data) to the DB (for the leader-board and such).
Let's call this writescore.php
I have no problem to send that value to writescore.php, either by AJAX with both POST or GET, or by simply and brutally calling the PHP script with some window.location.href variation.
My problem is that anyone can check the JS code and, if they are correctly logged in, they can directly call the same PHP with for example https://example.com/writescore.php?v=10000
and the PHP script will have no way to understand if the score is genuine or not. Whatever I do to obfuscate the number, it will clearly be visible in the JS source code, and so it would be fairly simple to re-apply the obfuscation.
At the moment, just to have "something that is better than nothing", I multiply the score by the number of seconds of today, like this:
var d = new Date()
v = Math.floor(d/1000/86400)
v *= highScore
call (in any way you wish) writehighscore.php?v=...
And in PHP I check that v % todaySeconds == 0 otherwise it means someone used the multiplier of a wrong day, and so the script rejects it since it's a fake attempt to cheat.
But still, it's fairly easy to see what the code is doing, and it's trivial to duplicate it.
So, my question: is there a way to somehow "hide" from JS a value that must be passed to PHP, or to make sure it's not been tampered with? Don't know... Like generating a unique session number on the server, sending it to the client, and using it to send back the score, and if the unique session is not the same, then the score is not valid... No clue :(
PS: We are giving cash money to the best high score every week/month, so I would rather not give it to a cheater ;)
