I'm designing a simple MMORPG using HTML5 canvas, JS, and PHP via AJAX. I've got a simple demo working where a user can log in, and is taken to a page where they can choose a world from a dropdown.
However, I now face a security issue: I need to be able to tell PHP via JS which world to change to, but I don't want the user to be able to change this themselves.
I have a dropdown of worlds available to the user, but don't want them to be able to change to any world they feel like via very simple client-side hacking. ie: Changing the tag's value via Chrome's right-click -> inspect element.
I know the solution would be to make everything server-side, but then how do I pass (from JS to PHP) which world the user has selected to change to?
(Apologies if this was poorly written, and many thanks in advanced)
You simply have to check the value the user gives on the server against a list which worlds are allow for that specific user.
$allowed = array('Christoph' => array('world1', 'world2'), 'saricDen' => array('world1', 'world2', 'world3'));
if(in_array($_POST['world'], $allowed[$currentUser]))
echo 'data for $_POST['world']';
else echo 'no data';
when a user requests a world he's not allowed to join he doesn't get the worlds data.
To post the selected data via ajax: add a onsubmit="sendAjaxRequest();" to the form in which you send the data via ajax to php. Once the request succeeds and tells you if he's allowed to join or not: continue .. or not.
You could generate a special hash for each world key and use that. Another option is to a hash of all the other values and validate against that.
There is no guarantee that it still couldn't be hacked.