-
Sadly, "HTTP_REFERER" is not always passed from the Flash player and some browers don't necessarily pass it either. It is also quite simple to fake that using various tools. Any hacker beyond script kiddie will know how. Tonypa is correct: you can't really protect your swf against direct manipulation if it runs in the browser.
Electrotank has a terrible time keeping up with hackers trying to get through our high score boards. We currently use a home-made encryption based on the concept of one-time cipher pads and a few other tricks thrown in there. Go here for details (scroll down a bit):
http://www.cs.utsa.edu/~wagner/laws/pad.html
Basically, you load some random data from the server to be used to encrypt your score, you do the encryption and then send it to the server. The server then uses the same random data and reverses the process to decode your request. We actually encrypt the entire XML document requesting a score to be saved. The random data you used it generated on the fly (no duplicates ensured or accepted in code), is variable length (based on a minimum and a maximum size) and has a timed lifespan that is VERY short. The score system validates minimum and maximum values for a given game. We are also working out some code to ensure that the server can tell how long you were playing a game. Based on play time, you can calculate the maximum score possible and validate a submission. On top of this, the site automatically bans people that appear to send invalid requests (currently turned off till the other bugs in the site are worked out).
Thus far this has worked very well and while it's not hack proof, even experienced hackers would have to rip the hell out of the score code on the client to break it. If anyone wants more implementation details, you can PM or email me. Have fun!
-
So far I have done everything Rrrufusss ordered n also attach LoadVar instead of placing the .php straight, however it still doesn't work.
It can call the .php successfully but it can't write any new scores.
Plz help me..
Thx a lot :)
-
here is my flash button action script:
on (release) {
function findsum (score) {
for(i=0;i<score.length;i++){
sum=Number(sum)+Number(score.charAt(i));
}
return(sum);
};
scoretable.filename = "imgs/yoenida-medmaj.sco";
scoretable.scoresize = 10;
scoretable.action = "INSERT";
scoretable.viewtype = "FLASH";
scoretable.winname = _root.name;
scoretable.winscore = _root.score;
scoretable.winsum = findsum(winscore);
scoretable.loadVariables(googlerb+random(99999), "POST");
gotoAndStop(12);
}
-
Is the "googlerb" new name of your php script?
Does it work, when you use this line?
scoretable.loadVariables("googlerb", "POST");
Do you have "yoenida-medmaj.sco" in the "imgs" directory?
Is the movie clip "scoretable" same in the frame where you have this code and frame 12?
-
Is the "googlerb" new name of your php script?
yes, I've previously declared that variable as the address of my php script.
"scoretable.loadVariables("googlerb", "POST");" i'll try it soon.
Do you have "yoenida-medmaj.sco" in the "imgs" directory?
yes, n I've changed both the directory and .sco files permission to 777 too.
Is the movie clip "scoretable" same in the frame where you have this code and frame 12? yes.
