I have a theoretical question about how to approach a current project. It is a fairly simple matching quiz using JS + PHP. I am simply taking care of business logic on the server (answer checking, score updating) such as to roughly follow MVC conventions.
My current setup:
- HTML + JS page to allow the user to drag and drop answers onto questions. On a successful drop, the question + answer combo is sent to the following:
- A server-side PHP page to check the answer correctness based on an XML file. I return a few pieces of data in some XML client, such as true/false and number of attempts at a certain question. In addition, if the answer is correct, I increment a Session Variable on the server to keep track of the user’s score.
My question revolves around best practices for setting the above mentioned session variable for tracking the score. I understand that a more persistent setup is most likely preferable, in case of computer shut-off, accidental browser closing, etc…but strictly based on this setup –
- Is this a secure method for storing a score for a final insertion into the database?
- I eventually will have to pull the score down from the server at the end of the game (or even mid game, for that matter), as well. Should I create a simple ‘getter’ PHP page to pull the score down, and just access the session variable and send it to the client?
- Currently, the user actually has access to the php server-side page becuase it resides in the same folder as the actual quiz. This is moooost likely a no-no – but what is the common practice for hiding this server-only file from the user’s prying eyes (without having to use authentication)?
It is secure. But I don’t see a why you wouldn’t update the scores in the database as they are changed. This way it will be persistent.
Sounds like a plan.
As long as the files are .php files and are parsed by the webserver the user can only do requests to the files and that’s it (if I understood the question correct that is).