问题
A friend to me made a flash game for my website. The game makes a request to /game/p00ints.php with the points in $_POST['points'].
But, a hacker can easy find out how to get more points I guess, so, how can my friend or I fix this security hole?
Best regards,
Erik Persson
回答1:
The way to fix this is have all the point calculation on the server and have the client send raw input (e.g. hold left arrow key 1 second, enter key press, hold left mouse button 2 seconds, etc.). Even then, attackers can still write bots to bypass your flash client (but the bots will have to send raw input). I understand implementing this is complex, but I think this is the most secure solution.
Adding a private key to the flash file may be enough of an obstacle for a casual game. However, it provides no real security, because someone can easily decompile the SWF.
回答2:
Quick solution - add some checksum as a second parameter, for example md5("secretword"+md5(points)). It will make hacker's life harder and hopefully they won't bother.
I don't think there is absolute 100% secure solution as flash can be decompiled.
来源:https://stackoverflow.com/questions/2755190/points-pts-in-flash-game