• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 979
  • Last Modified:

Jquery ajax and php security

Hi E's, I create a picture puzzle game with jquery and javascript, and comes the time to thing about the security of the site/game.
I use jquery and javascript to do the part of the game (the play part), and ajax and php to send informations to my data base.
The behavior is, when the player begins the game: I create a new row in DB (with ajax and php), and I insert in that new row information like, random number (unique) to identify that single game, information about the puzzle the player play (I will have lots of pictures puzzles).
When the customer finish the puzzle, I send to DB (ajax and jquery again) the time player use to finish the puzzle and the information about how many moves player use to finish the puzzle.

In a beautiful world without hackers that work perfect.
What I need in this question is some opinion about the best way to protect my code and the communication to the server in each game.

Note: I use post method for send the information to the server. first the information going to a different .php file, and that php file send the information to the database.

If you want see code, please tell me.

The best regards, JC
Pedro Chagas
Pedro Chagas
  • 2
2 Solutions
Ray PaseurCommented:
How do you test to see if the communication with the server is actually from a human player?
Pedro ChagasWebmasterAuthor Commented:
I have not tested, the first step may be that? and what you advise? like a captcha?
I try to do some tests with firebug, and I see I can manipulate variables, also in my game, I can manipulate the time, and in this case the player can cheat!!!
For the time the player use to finish the puzzle, I thing the solution is, when the game begin, I inform the start time by php and ajax, and when the customer finish the puzzle I send in the same way the end time, and compare both variables (end time - start time).

greetings  joaochagas, , Hope I can help a little, but web site security can get to be a LARGE endeavor, although there may be several things u can do for a low-moderate  security level.

First, with AJAX, u will need to treat it as a POST from a normal PHP form page, and check the post strings for length, content, and try and validate the content, then be sure to have data base injection prevention, same as a NON-AJAX call from a page post. Although normal users would have the page AJAX do the communication, a hacker, or hacker attack site would send independent "POST" data to your AJAX response page that could contain anything that they need.

Hopefully, you can have this done in a way where your Users must "Sign In" as a PHP user Log-In, so you can have a "Start" on security, with a proper "log-In" identifier, and set a session or database entry for valid users.

Next, try and have as many game data creations, (like start time and finish time)  be ONLY from SERVER code and or SERVER Database reads, that have the data from SERVER code,
For instance, Have the web page send by AJAX that the Game "Started", but nothing about the javascript time, Then in server code get the "Start Time" and place that in the database, When the game is finished, send a AJAX message that "Game End" and get the SERVER time for that ending, ,  and then use the database "Start Time" (from server)  to see how long the game was. Then send back the "Time results and player Score" by AJAX, so that the Times can not be cheated by javascript.

Also for data that the server evaluates from the web page AJAX to "Increase" the player's score or game points, see if you can find a way to evaluate, one play-move at a time, and be sure to TEST the response time for a minimum that a human would need to do a play-move (as opposed to a microsecond for a computer to do a play or move) from the "Last move" time sent to and recorded by the server code. This will not be a sure fire prevention, but can prevent some "repetitive" data sends that cheaters may try.

In AJAX that uses browser side code (javascript) , it is difficult to have any way to secure the sends by obfuscation or encryption, because anyone that gets the page, can read all of the javascript, and see any "security" steps to hide or secure a data send. So you will need to try and do as much on the server side (php) for all game functions and scoring, that is practical  for your game. You can use some server produced security text blocks to send to page by AJAX, that your javascript records and sends back by AJAX to be checked by the server, but this may not be possible-useful for many games.
As long as you do not offer large rewards (big prizes) for winners of your game, you will not need to worry much about makin big efforts in security, but there will be many that try to do light weight cheating, without doing major attack scams.

If you need some more about this, maybe you can say more about the data factors that you need to send back and forth by AJAX.
OK, I thought you might post again but you did not, There are several PHP code scripts for games, that may give you some Ideas for your game, although many of these seem not to be from developers with much experience, , ,

anyway go to -

and you can download some code that others have made, but I did not see any that use AJAX.

be sure to have others play your game, and get their feedback to improve your development , much luck to you!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now