Hiding (or setting readonly) the URL after a form

Anon

After we have finished writting several games and the highscore list, we discovered a very serious security problem:

...../enter_name.pgp?Points=120

Wenn the user changed to Points=3000
he could have cheated.

Since we are giving away REAL prices, nobody must be able to modify the points.

Additional problems:
1) Minimize the server accesses (don't write temp file, to store and hide the points).

2) Make it work for IE and NS.

Please include full examples so it should be easier to implement.

Anon

Here is a little trick that was discussed on phpbuilder awhile back:

You could keep the score there, but add a second variable called phash, phash will be the md5 of the points + a secret word/phrase that is kept server side. For example, before you redirect to that page, do the following:

$phash = $points . "mypassword";
$phash = md5($phash);

Header("Location: http://enter_name.php?points=$points&phash=$phash");

Now, after you go from enter name to the next page, just do the following:

$checkhash = md5($points . "mypassword");
if ($checkhash != $phash) {
echo "Cheater!";
exit;
}

Just make sure that you have the same password in both files and a limited number of people know what it is and you should be o-tay. Of course, nothing beats keeping this information in a database or session variable server side but this is a good workaround for how you currently have it. Hope that helps.

Chris King

Anon

Thanks,
just 1 problem!

The game is written entirely in JavaScript -> the points are in a JavaScript variable!

I don't know how to access the JS variable from PHP :-(

Anon

If the game is in javascript, you give the user the sourcecode,
there is no way of protecting that anymore.

They can simply edit the code to generate as many points
as they want.

If you want security you'll need to use java, not javascript.
Java is sent to the user as an executable, so there you could use encryption to send the score to the server.

Anon

Only way to resolve this is to set the javascript variable to an input variable directly before submitting the form, and then checking the referer on the page that is validating the data. The most advanced can still spoof the headers for the referer, but this is the most secure way in your specific position.

Chris King

Anon

The thing with the referer is good, but doesn't work always with the IE.
the calling page does:
parent.window.location.href = ....

In Netscape no problem, in IE 5.5 an empty referer.

What I did to solve the problem:
A function generates a kind of a hash for the points.
To make it a bit harder for the users to cheat, the function is in a extra JS script on the server and gets included.

Still not good, but a bit harder to cheat.

Thanks for all your great ideas!
(The idea with the hash + md5 was a very good hint for me)

Anon

What is to stop them from refreshing that page and adding to their score? You will probably need to include a counter or random number in the hash that is stored server-side to make sure that each submission is unique.

Send an ID along with the request that correlates with a random number previously entered into a database.

Ryan