While developing a Facebook game, I’m realizing that I can’t yet think of a secure way to change user data (like, for example, player health), which I want to do via AJAX calls. If I call a script such as change_user_health.php with the parameters {userid : 12345, newhealth : 25}, how can I call it in such a way as to prevent users from peeking at the script and calling that script themselves to, say, give themselves full health at all times?
I was originally thinking of passing a hash (perhaps a salted MD5 encryption of a certain value), but this hash would be visible within the JavaScript that calls the AJAX script file. What can I do to call an AJAX PHP script without the user seeing how the MD5 hash is salted and composed? I want the hash to include the health value (25 in the above example) in its composition, so that the user can’t just pop in a different value (like 100) with the same hash.
The solution: Make everything server-side.
Say, player get’s hit. Instead of doing a request to send set the players HP ( setPlayerHP( current_hp – damage ))
send a request to inform the server that the player has been hit, and let the server handle that and send the remaining hp in the response. ( playerHit() )
The server should then figure out what hit him, and what armor he is wearing. You can’t trust javascript at all… If for example you sent the monster id along with the request, or the armor id, then the player could easily forge that.
What you are into sounds like an interesting programming experience 🙂 Lag makes things a lot funnier, too.