|
Posted by Schraalhans Keukenmeester on 09/29/05 12:19
digiguru@gmail.com wrote:
> I'm trying to create a highscrore table in Flash using PHP to store the
> highscores in a text file on the server.
>
> I want to make it as robust as possible without letting people whack in
> their own high scores. Whats the best way of achieving this?
>
> here is the code.
>
> <?php
> //These variables currently come from a form.
> //I the future they are going to be passed via a flash movie
> //I understand flash movies are easy to bust apart,
> // so whats the best way of preventing people from people adding dodgy
> scores?
> $userName = $_POST['myName'];
> $userEmailAddress = $_POST['myEmail'];
> $userScore = $_POST['myScore'];
>
> $filename = "highscores.php";
> //Currently our server only accepts ".php" files, not ".txt" - which is
> ANNOYING!
> //The style of the text file is...
> "$userName,$userEmailAddress,$userScore\n"
> // for 10 to 50 lines of high scores, depending on how fast it runs.
> $numScores;
> $highScoreArray;
>
> // I havn't whacked any functions in it as I believe
> // each function is a key that can be used to hack, am I right?
> if (!$userEmailAddress) {
> echo "error : no email address";
> exit;
> } else {
> if(!file_exists( $filename )) {
> echo "error : no highscore file";
> } else {
> $highScoreArray = file ($filename);
> $numScores = count($highScoreArray);
> $fp = fopen($filename,"w");
> if(!$fp) {
> echo "error : couldn't open data file";
> } else {
> $highScoreRow = "";
> $highScoreRowBuffer = "";
> for ($i=0; $i<$numScores; $i++) {
> //loop through from the begining of the file to the end
> $highScoreRow = $highScoreArray[$i];
> $highScoreRowArray = explode (",",$highScoreRow);
> $highScore = $highScoreRowArray[2];
> // the high score is the last one in the list
> if ($highScore < ($userScore+1)) {
> //If its a new high score (I add one to give priority to newer
> scores)
> if ($highScoreRowBuffer == "") {
> //This is to enter the new high score
> $highScoreArray[$i] = "$userName,$userEmailAddress,$userScore\n";
> } else {
> //This moves the previous not quite so high score to move down the
> table
> $highScoreArray[$i] = $highScoreRowBuffer;
> }
> // assign the buffer to remember the highscore as it will be
> moving down the list now.
> $highScoreRowBuffer = $highScoreRow;
> }
> }
> // Write to file
> for ($i=0; $i<$numScores; $i++) {
> fwrite($fp, $highScoreArray[$i]);
> }
> }
> fclose($fp);
> echo "<a href='highscores.php'>Here is the new highscores file</a>";
> }
> }
> // This is a code I pulled off another site to prevent hacking, should
> I be using it everywhere in the page?!
> function fix_for_page($value){
> $value = htmlspecialchars(trim($value));
> if (get_magic_quotes_gpc())
> $value = stripslashes($value);
> return $value;
> }
>
> ?>
>
Could be a toughie. First of all you should transfer that data encrypted
to at least throw off easy hack attempts that just send the same data
from a custom header instead of the flash app.
You could use a CRC checksum value or something like it (md5hash) on the
flash file itself as part of the encryption perhaps ? Or maybe import a
one-time key in the Flash app at its start from your server ? Cookies ?
Etc...
Just a few thoughts.
GL
Sh
[Back to original message]
|