I am trying to create a game leaderboard website which will contain people's highscores from different games.
I have 3 tables users, games and gamedata.
The columns are as follows.
users : id | name
games : id | title | owner_id
gamedata : user_id | game_id | highscore
I have a Javascript api which third party game developers use to create a submit score button in their game.
When they send me data I receive them using $_POST and query it in my game_data table using " Insert into game_data(user_id, gameid, highscore) values('$_session['user_id']', '$gameid', '$score')"
Now as you know anyone can send me fake data of $gameid and $score.
Since I have no control over those two datas on my server how is it possible to ensure the security of sent data from third party sites?
What do you mean by ensuring security?
Given you example, I would:
1) Sanitise the data. As a general rule, NEVER TRUST THE USER DATA.
2) Validate the data by looking at the database and checking whether $gameid is actually a record that exists on the table.
3) Make sure you validate the given $score within an accepted range.
4) Prepare your query to avoid SQL-injection.
5) Optional: Use SSL (you can get free certificates with Letsencrypt)
6) If you can, move most of the logic on the server-side. Let the client just send actions, and do the logic server-side where you have granular control over the data and actions.