koobas.hobune.stream
Best way to protect www post to a php file ?
Hello everybody ! I'm wandering if I can block post requests that aren't from my game in my php file ? Or can I send totaly hidden www post to my php file ? I want to prevent anyone to insert information manually in my database. Sorry for my bad english and thanks in advance !
Edit : My game communicate with a server with a php file. The php file link the game to the database. For the moment I use the database only as a leaderboard but i would like to use it to store saves and passwords. So i want to protect all communications by hiding them or something.
Don't think so.. the best you can do is to do sanity checks on the server before moving the data to the DB (to make sure that the data makes sense and doesnt go over board or crashes the DB or server).
Simple www calls can be tracked probably in many ways.. with WireShark being 1 of the easy ones. So it won't be hard for people to find out what URL your game calls.. also make sure to check for SQL injections
You could try to figure out some way how to call the URL while passing some additional variable that identifies it as a legit call from your game, but people probably wouldn't have too much problems replicating that.
Perhaps you can tell us more about the game or the reason you're perfor$$anonymous$$g this URL call.. what are you trying to achive with with it ? Perhaps we'd be able to suggest a better solution if we'd know what your actually using it for.
So you think there is no way to protect a leaderboard of cheating (for example) if we communicate with the database via some php request ?
Send a hash of the data along with some secret salt value with each request, and check the hash matches on the server (wouldn't prevent identical requests being sent again, but would prevent against simple tampering of the values
Thank you tanoshimi ! have you some tutorial or information which can help me learn about hashing data ?
Use HTTPS and an expected handshake signature like AppID + current time + random GUID, plus whatever your command/data is.
Your server will at least know that somebody is using your AppID, knew to send the current time and knew to send a GUID of the type you require. (The GUID makes each transmission variable instead of static.)
