[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Jquery ajax and php security

Posted on 2012-09-16
4
Medium Priority
?
977 Views
Last Modified: 2012-09-21
Hi E's, I create a picture puzzle game with jquery and javascript, and comes the time to thing about the security of the site/game.
I use jquery and javascript to do the part of the game (the play part), and ajax and php to send informations to my data base.
The behavior is, when the player begins the game: I create a new row in DB (with ajax and php), and I insert in that new row information like, random number (unique) to identify that single game, information about the puzzle the player play (I will have lots of pictures puzzles).
When the customer finish the puzzle, I send to DB (ajax and jquery again) the time player use to finish the puzzle and the information about how many moves player use to finish the puzzle.

In a beautiful world without hackers that work perfect.
What I need in this question is some opinion about the best way to protect my code and the communication to the server in each game.

Note: I use post method for send the information to the server. first the information going to a different .php file, and that php file send the information to the database.

If you want see code, please tell me.

The best regards, JC
0
Comment
Question by:Pedro Chagas
  • 2
4 Comments
 
LVL 111

Assisted Solution

by:Ray Paseur
Ray Paseur earned 300 total points
ID: 38403620
How do you test to see if the communication with the server is actually from a human player?
0
 
LVL 3

Author Comment

by:Pedro Chagas
ID: 38403713
I have not tested, the first step may be that? and what you advise? like a captcha?
I try to do some tests with firebug, and I see I can manipulate variables, also in my game, I can manipulate the time, and in this case the player can cheat!!!
For the time the player use to finish the puzzle, I thing the solution is, when the game begin, I inform the start time by php and ajax, and when the customer finish the puzzle I send in the same way the end time, and compare both variables (end time - start time).

~JC
0
 
LVL 34

Accepted Solution

by:
Slick812 earned 1700 total points
ID: 38407067
greetings  joaochagas, , Hope I can help a little, but web site security can get to be a LARGE endeavor, although there may be several things u can do for a low-moderate  security level.

First, with AJAX, u will need to treat it as a POST from a normal PHP form page, and check the post strings for length, content, and try and validate the content, then be sure to have data base injection prevention, same as a NON-AJAX call from a page post. Although normal users would have the page AJAX do the communication, a hacker, or hacker attack site would send independent "POST" data to your AJAX response page that could contain anything that they need.

Hopefully, you can have this done in a way where your Users must "Sign In" as a PHP user Log-In, so you can have a "Start" on security, with a proper "log-In" identifier, and set a session or database entry for valid users.

Next, try and have as many game data creations, (like start time and finish time)  be ONLY from SERVER code and or SERVER Database reads, that have the data from SERVER code,
For instance, Have the web page send by AJAX that the Game "Started", but nothing about the javascript time, Then in server code get the "Start Time" and place that in the database, When the game is finished, send a AJAX message that "Game End" and get the SERVER time for that ending, ,  and then use the database "Start Time" (from server)  to see how long the game was. Then send back the "Time results and player Score" by AJAX, so that the Times can not be cheated by javascript.

Also for data that the server evaluates from the web page AJAX to "Increase" the player's score or game points, see if you can find a way to evaluate, one play-move at a time, and be sure to TEST the response time for a minimum that a human would need to do a play-move (as opposed to a microsecond for a computer to do a play or move) from the "Last move" time sent to and recorded by the server code. This will not be a sure fire prevention, but can prevent some "repetitive" data sends that cheaters may try.

In AJAX that uses browser side code (javascript) , it is difficult to have any way to secure the sends by obfuscation or encryption, because anyone that gets the page, can read all of the javascript, and see any "security" steps to hide or secure a data send. So you will need to try and do as much on the server side (php) for all game functions and scoring, that is practical  for your game. You can use some server produced security text blocks to send to page by AJAX, that your javascript records and sends back by AJAX to be checked by the server, but this may not be possible-useful for many games.
As long as you do not offer large rewards (big prizes) for winners of your game, you will not need to worry much about makin big efforts in security, but there will be many that try to do light weight cheating, without doing major attack scams.

If you need some more about this, maybe you can say more about the data factors that you need to send back and forth by AJAX.
0
 
LVL 34

Expert Comment

by:Slick812
ID: 38422991
OK, I thought you might post again but you did not, There are several PHP code scripts for games, that may give you some Ideas for your game, although many of these seem not to be from developers with much experience, , ,

anyway go to -
http://gscripts.net/free-php-scripts/Browser_Games.html

and you can download some code that others have made, but I did not see any that use AJAX.

be sure to have others play your game, and get their feedback to improve your development , much luck to you!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
This article discusses four methods for overlaying images in a container on a web page
The viewer will learn how to dynamically set the form action using jQuery.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Suggested Courses
Course of the Month20 days, 5 hours left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question