开发者

How to process AJAX requests more securely in PHP?

开发者 https://www.devze.com 2022-12-23 23:41 出处:网络
Ok, so I want to send AJAX requests to my website from my Flash games to process data, but I don\'t want people downloading them, decompiling them, then sending fake requests to be processed, so I\'m

Ok, so I want to send AJAX requests to my website from my Flash games to process data, but I don't want people downloading them, decompiling them, then sending fake requests to be processed, so I'm trying to figure out the most secure way to process in the PHP files. My first idea was to use Apache's built in Authorization module to require a username and password to access the pages on a separate subdomain of my website, but then you'd have to include that username and password in the AJAX request anyway so that seems kind of pointless to even try.

My current option looks pretty promising but I want to make sure it will work. Basically it just checks the IP address being sent using REMOTE_ADDR to make sure it's the IP address that my server runs on.

<?
$allowed = new Array("64.120.211.89", "64.120.211.90");
if (!in_array($_SERVER['REMOTE_ADDR'], $allowed)) header("HTTP/1.1 403 Forbidden");
?>

Both of those IP addresses point to my server. Things I'm worried about:

1) If I send a request from Flash/ActionScript, will that affect the IP address in any way?

2) Is it possible for malicious user开发者_高级运维s to change the IP address that is being sent with REMOTE_ADDR to one of my IP addresses?

Any other ways you would suggest that might be more secure?


THOSE IPs ARE NSFW.

Keep in mind that if someone decompiles your flash app, recompiles it, and then places it back in your site using Firebug or similar, all your work is wasted in your current thought stream. The best way to prevent abuse is going to be to require one-time use encrypted tokens that you send when you initialize the flash game, and require on the POST back. You should also use SSL. But even that won't stop everyone. Flash game security is notoriously difficult.


The REMOTE_ADDR will be the address of the client, so it won't help.

If the client can decode it, they will be able to emulate it.

Just hope no-one is that desperate to get a high-score on your games.

I guess it's easier to sniff packets than it is to decompile the flash, so it might be worthwhile encrypting the data in some fashion as you send it.


Concluded Answer after googling a lot !

Step-1 : Generate Token System For All Web-Service:

Generating Token :

<?php
  session_start();
  $token = md5(rand(1000,9999)); //you can use any encryption
  $_SESSION['token'] = $token; //store it as session variable
?>

Step-2 : Use it while sending ajax call:

var form_data = {
  data: $("#data").val(), //your data being sent with ajax
  token:'<?php echo $token; ?>', //used token here.
  is_ajax: 1
};

$.ajax({
  type: "POST",
  url: 'yourajax_url_here',
  data: form_data,
  success: function(response)
  {
    //do further
  }
});

Step-3 : NOW, Let's secure ajax handler PHP file with,

session_start(); //most of people forget this while copy pasting code ;)
if($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') {
  //Request identified as ajax request

  if(@isset($_SERVER['HTTP_REFERER']) && $_SERVER['HTTP_REFERER']=="http://yourdomain/ajaxurl")
  {
   //HTTP_REFERER verification
    if($_POST['token'] == $_SESSION['token']) {
      //do your ajax task
      //don't forget to use sql injection prevention here.
    }
    else {
      header('Location: http://yourdomain.com');
    }
  }
  else {
    header('Location: http://yourdomain.com');
  }
}
else {
  header('Location: http://yourdomain.com');
}

NOTE: SORRY FOR NESTED IF..ELSE, BUT IT INCREASES UNDERSTANDABILITY. YOU CAN SIMPLIFY ALL THREE IN ONE IF ELSE. 85% Security Enhanced !


I've really been thinking about this. People hack games to get #1 on the scoreboard, correct? That's the only reason, they want to be on top. So, I've decided to completely get rid of the global scoreboard. Users, of course, will have their personal scores recorded so they can compete against themselves, but other than that, each game will simply give users an award for accomplishing some specific task. That way score is irrelevant. Whether you get 1,000,000 or 1,000, you still get the same award. This will deter hackers because their efforts are meaningless. Yes, I can still implement some form of lower-level security when transmitting data to the server via AJAX requests, but really it wouldn't seem very logical for someone to hack my game just to get an award that is exactly the same as any award anyone else has received. I know it seems like I'm kind of avoiding the issue, but really I'm not. I'm facing the real issue which is the hackers and pretty much demolishing their motivation to hack the game while still maintaining that sense of competition. Most hackers do it to gain attention, so they can look at the scoreboard and say, 'Yeah, I hacked the game to get that score.' But if they only have a little icon in their profile, who's going to care?

0

精彩评论

暂无评论...
验证码 换一张
取 消