PDA

View Full Version : validating database calls


rls
03-28-2001, 10:34 AM
hi all!

we have a flash game which reads it's 'high scores table' from a database via a php file. Problem is people have managed to reverse-engineer the swf and pull the path to the php from it and use it to pass bogus scores (via a browser we think) to the php file which obviously updates the database incorrectly. how do we check that the scores are being posted via the flash file as opposed to any other way to authenticate them?

I have taken the obvious measures to protect the swf file like not allowing debugging of the file and disabling importing, but I realise there are still ways round this.

We thought about using the php to check the HTTP_REFERRER however as we have tested it IE does not seem to send this info as one of its environment variables.

any thoughts?

Jesse
03-30-2001, 08:32 AM
Hrmm the problem is the fact that it can be reverse engineered. I know that sounds dumb but I was thinking:
"Why not construct the URL tot he high-scores file dynamically, using text strings and things, that way it wouldn't be obvious what the URL was", but the problem is, using something like ActionScript Viewer, the culprits could just gather up the strings and combine them to figure out the URL themselves...

How about using cookies?

Cheers

Jesse

kaptainkory
04-12-2001, 10:51 PM
There is a technique that can be used with ScoreKeeper that will cause HTTP_REFERRER to get set. The only *possible* problem is that the scores output will be in a pop-up window.

http://www.k2w.f2s.com/software/

kory

chiefmonkey
05-08-2001, 02:19 PM
HTTP_REFFERER is notoriously unreliable,
I think your best bet may be to use a session and quite simply check for the session cookie before the score is entered into the db, the only problem being cookies can be faked.

HTH
george
chiefmonkey