问题
I've a game in which my JavaScript calls PHP scripts via POST to change values in the database. How can I prevent someone repeatedly duplicating the request and giving themselves a billion points?
Right now I pass a password through sha1() and check if it's there on the PHP side, but this wouldn't stop someone repeating the request.
I can't use timestamps because time will lapse between call (JS POST request) and run of the PHP script.
Edit:
- My PHP script doesn't increment the database values (points=points+10), it takes the values passed to it and updates the field (points=300)
- I update several tables on each interaction (well each interaction which result in points going up) in the game. One of these keeps track of every vote. This table only allows a user to vote on any image once. If I were to do this update first, if the user has tried to repeat this request, the result would return an error and I could kill the PHP script.
Is this sufficient security? Do I still need to worry about preventing duplicate requests?
回答1:
It sounds like a lot of this logic now remains clientside, so you can't stop someone from sending "score.php?score=1000" multiple times.
Add logic to the server side that checks how often a given request can be executed, or, even better, execute game logic completely serverside (so the user won't have to submit his own score, but simply requests a certain game action to be executed, eventually resulting in a score which could then be added to the user).
回答2:
If you have some form of session identifier you can increment a count of times that request has been made. This isn't bullet proof however, clearing out session cookies will allow that request to be made again.
You will need some form of login to prevent someone clearing their cookies, or even a cURL script looping.
Edit:
As a stop-gap measure, you could add a form of CSRF protection, a one-time-use hash would need to be applied to each request to make it valid.
回答3:
You can also pass a flag from post which you can set to whatsoever value when u really wants to update the value in database otherwise set it to 0. And while updating check the value of the flag and corresponding update it.
回答4:
given that GET or POST both can be easily done by the client. if you are just sending a raw score to the server this can never be good. I have never written a game where that much logic occurs on the client. the client side should just send commands to the server and the server decides whether or not this is a valid transaction/state. more or less the server knows the state of the client and the client just reflects that. that's the probably the only true way to gaurantee that what a client is doing is legal.
回答5:
Use captcha Wiki CAPTCHA , reCAPTCHA
Also, use Session to write down number of repeated requests done my user to the server and increment it on each successful request,
Then block the user from accessing your PHP script with the help of session storage data. PHP SESSIONS
来源:https://stackoverflow.com/questions/7305492/how-to-secure-encode-javascript-post-requests