I have a Flash based game for the browser which sends users’ scores to a php backend script which stores the score and the user id in the database.
Now I have a url like http://www.example.com/update.php?score=200&uid=234
The problem is that this is very much exposed to an intelligent user, and he can use this url to store whatever score he wants in the DB. Also there’s no real user authentication, and I don’t intend to have one either, because it’s really a tiny game.
How can I stop someone from calling the above url and updating his score on his own.
You might want to read about the “Marblecake” hack of an online polling system.
Substitute the concept of “submitting a vote” with “submitting a score” and you’ll see that any client-side control is bound to fail.
While a good step might be to encrypt the score or use an HMAC to prevent tampering, your encryption will be done in the Flash client and the Flash app can be reverse-engineered for the key (it increases the effort required to cheat, but won’t prevent cheating).
In order to minimize cheating, you’d have to move the scoring logic to the server and you’d have to run sanity checks or otherwise validate players’ actions; otherwise, the approach to cheating would be executing invalid actions that lead to more points rather than just reporting the final score. (That last bit is vague since it’s not clear what kind of game this is.)
At the very least, you should be able to tie score updates to a specific user so that cheaters can only affect their own score and not others’. I can only think of ways to bound the effect of cheating, such as rate limiting so that if an average game is N minutes, the server only accepts around 60/N score updates per hour . Or use some other metric/time period. But for what you describe as a tiny game that’s probably not worth the effort — especially since it only bounds the problem, it doesn’t solve it.