Jquery ajax and php security

Posted on 2012-09-16
Last Modified: 2012-09-21
Hi E's, I create a picture puzzle game with jquery and javascript, and comes the time to thing about the security of the site/game.
I use jquery and javascript to do the part of the game (the play part), and ajax and php to send informations to my data base.
The behavior is, when the player begins the game: I create a new row in DB (with ajax and php), and I insert in that new row information like, random number (unique) to identify that single game, information about the puzzle the player play (I will have lots of pictures puzzles).
When the customer finish the puzzle, I send to DB (ajax and jquery again) the time player use to finish the puzzle and the information about how many moves player use to finish the puzzle.

In a beautiful world without hackers that work perfect.
What I need in this question is some opinion about the best way to protect my code and the communication to the server in each game.

Note: I use post method for send the information to the server. first the information going to a different .php file, and that php file send the information to the database.

If you want see code, please tell me.

The best regards, JC
Question by:Pedro Chagas
    LVL 107

    Assisted Solution

    by:Ray Paseur
    How do you test to see if the communication with the server is actually from a human player?
    LVL 3

    Author Comment

    by:Pedro Chagas
    I have not tested, the first step may be that? and what you advise? like a captcha?
    I try to do some tests with firebug, and I see I can manipulate variables, also in my game, I can manipulate the time, and in this case the player can cheat!!!
    For the time the player use to finish the puzzle, I thing the solution is, when the game begin, I inform the start time by php and ajax, and when the customer finish the puzzle I send in the same way the end time, and compare both variables (end time - start time).

    LVL 33

    Accepted Solution

    greetings  joaochagas, , Hope I can help a little, but web site security can get to be a LARGE endeavor, although there may be several things u can do for a low-moderate  security level.

    First, with AJAX, u will need to treat it as a POST from a normal PHP form page, and check the post strings for length, content, and try and validate the content, then be sure to have data base injection prevention, same as a NON-AJAX call from a page post. Although normal users would have the page AJAX do the communication, a hacker, or hacker attack site would send independent "POST" data to your AJAX response page that could contain anything that they need.

    Hopefully, you can have this done in a way where your Users must "Sign In" as a PHP user Log-In, so you can have a "Start" on security, with a proper "log-In" identifier, and set a session or database entry for valid users.

    Next, try and have as many game data creations, (like start time and finish time)  be ONLY from SERVER code and or SERVER Database reads, that have the data from SERVER code,
    For instance, Have the web page send by AJAX that the Game "Started", but nothing about the javascript time, Then in server code get the "Start Time" and place that in the database, When the game is finished, send a AJAX message that "Game End" and get the SERVER time for that ending, ,  and then use the database "Start Time" (from server)  to see how long the game was. Then send back the "Time results and player Score" by AJAX, so that the Times can not be cheated by javascript.

    Also for data that the server evaluates from the web page AJAX to "Increase" the player's score or game points, see if you can find a way to evaluate, one play-move at a time, and be sure to TEST the response time for a minimum that a human would need to do a play-move (as opposed to a microsecond for a computer to do a play or move) from the "Last move" time sent to and recorded by the server code. This will not be a sure fire prevention, but can prevent some "repetitive" data sends that cheaters may try.

    In AJAX that uses browser side code (javascript) , it is difficult to have any way to secure the sends by obfuscation or encryption, because anyone that gets the page, can read all of the javascript, and see any "security" steps to hide or secure a data send. So you will need to try and do as much on the server side (php) for all game functions and scoring, that is practical  for your game. You can use some server produced security text blocks to send to page by AJAX, that your javascript records and sends back by AJAX to be checked by the server, but this may not be possible-useful for many games.
    As long as you do not offer large rewards (big prizes) for winners of your game, you will not need to worry much about makin big efforts in security, but there will be many that try to do light weight cheating, without doing major attack scams.

    If you need some more about this, maybe you can say more about the data factors that you need to send back and forth by AJAX.
    LVL 33

    Expert Comment

    OK, I thought you might post again but you did not, There are several PHP code scripts for games, that may give you some Ideas for your game, although many of these seem not to be from developers with much experience, , ,

    anyway go to -

    and you can download some code that others have made, but I did not see any that use AJAX.

    be sure to have others play your game, and get their feedback to improve your development , much luck to you!

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    In this article you'll learn how to use Ajax calls within your CodeIgniter application. To explain this, I'll illustrate how to implement a simple contact form to allow visitors to send you an email through your web site.
    How to build a simple, quick and effective accordion menu using just 15 lines of jQuery and 2 css classes
    Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
    The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now