I currently have a JS game posted on my website. I want to have an HTML form that get's the user's name and submits it to the server (saved on just a text file). At the moment, I could use PHP so that website/game/scores.php?action=submit&name="Player's Name"&score="Player's Score". I'm pretty confident that this would work. However, anyone who could read my HTML could just pass a fake score onto that function.
How should I approach this security problem?
Note: I know SQL would probably work better for this situation, but I'm not interested in learning mySQL yet!
Thanks in advance.
EDIT: Now I have another problem. The PHP isn't getting the POST parameters from the form. Code is below:
JS:
var form = document.createElement("form");
form.setAttribute("method", "post");
form.setAttribute("action", "http://michaelman.net/snake/scores.php");
var dataField = document.createElement("input");
dataField.setAttribute("type", "hidden");
dataField.setAttribute("name", name);
dataField.setAttribute("value", score);
form.appendChild(dataField);
document.body.appendChild(form);
form.submit();
PHP:
switch($_SERVER['REQUEST_METHOD']){
case 'GET': $the_request = &$_GET; echo "GTFO!";
case 'POST': $the_request = &$_POST; writeToFile($_POST['name'], $_POST['value']);
echo ("Saved: " . $_POST['name'] . " - " . $_POST['value']);
}
Although the server recognizes the request, it can't get any of the parameters. Why is that? Thanks.
EDIT 2: Sorry for the dumb edit. I've figured it out by creating two separate form fields, one for name and the other for score. In the PHP code, I just retrieve the "name" and "score" parameters.
Use a form tag like this:
<form action="scores.php" method="post">
Then all the variables passed to scores.php will be accessible like this:
$name = $_POST['name'];
$score = $_POST['score'];
and will not appear in the URL's query string.
If you are using METHOD="GET" it will show up in the URL and is a security nightmare but if you are using METHOD="POST" it will not show up and is more secure.
There are many ways you could secure this application. Without knowing the nature of your game it is difficult to say exactly but firstly you should use the POST method instead of GET (this way url params will not be readable), this is still not completely secure though, as anyone can still hit that script with POST parameters.
I'd suggest having scores calculated in the PHP itself as a result of different actions from the user. E.G in a game of chess your backend should know what pieces are where, if a user takes a piece then the backend knows, making the front end quite dumb and just updating the UI to reflect the backend.