I really need to work out how to protect the highscore table with flash games.
i use php and mysql to store the highscore table.

can anyone help?

I've been thinking about that myself. I don't think a 100% tamper-proof solution is even possible.

I would suggest using a salted md5-hash to 'sign' the data you send from the flash file to your php script, and then have the php check the hash. This would keep people from simply querying your server with scores they made up.

Of course, this is vulnerable to flash decompilers. The source code would show how the hash is generated, in turn enabling the attacker to sign their fake scores correctly. But this attack at least takes time and skill, so hashing will make manipulations a lot harder.

Still, I'm always on the lookout for better solutions myself. I have been thinking about signing the swf somehow, or working with referers to ascertain only a flash file that has been loaded from your server is allowed to send scores. Or maybe have the server issue some kind of one-time token for each game...

regards

j.

thanks for the reply this is something ive been pondering for some and ive not found "perfect" solution. as flash can be decompiled it makes it very hard to make it secure