TwelvestoneFlash

Protecting POST data from the script kiddies

Sign in

Not a member? Sign up
Forgot your password?
Didn't receive confirmation instructions?
  • Waiting for Godot ( 730 k posts )
    Just conversation.
  • Thunder Dome ( 23 k posts )
    Photoshop Tennis and Collabs.
  • Photography ( 5.1 k posts )
    For all you shutterbugs, sh...
  • Flash ( 18 k posts )
    ActionScripting to tweens, ...
  • Front End ( 5.9 k posts )
    general front end design an...
  • Back End ( 9.7 k posts )
    serverside scripting, progr...
  • Projects and Theory ( 12 k posts )
    This forum is for discussio...
  • FAQ ( 269 posts )
    All those nagging questions...
  • Design ( 17 k posts )
    graphics & all aspects of g...
  • Purgatory ( 3.6 k posts )
    12stone Jail, feel free to ...
DontBogartMe
 
2008-06-09

so I've built a little game and want to add a hiscore table to it, it'll be built with MySQL and PHP.

I've already implemented some tricks to hide the score in the game from memory readers - I now want to hide the score from the data sniffers that catch it between the 'submit your score' screen in the game and the PHP script that saves it to the DB.

Has anyone here tackled this before?

The best info I've had so far has come from this thread on Flashkit - yeah I could join flashkit and ask them, but I do like to keep it 12stone k

Anyway, there, webgeek suggests using AES (Rijndael) to encrypt the score before sending, but I'm not sure how to go about doing that in AS3 - anyone know?

JLM
 
2008-06-09

how about sending a jpg back of the score?

DontBogartMe
 
2008-06-09

how do you go about doing that?

JLM
 
2008-06-09

saving or decoding?

DontBogartMe
 
2008-06-09

both k

It sounds like an interesting idea - but I reckon for my simple purposes here just a plain encode/decode with a normal encryption technique will do fine. I just need a nice AS3 function to encrypt, and a matching PHP function to decrypt on the server.

DontBogartMe
 
2008-06-09

this is what I've come up with myself, this maybe enough on its own to prevent the casual attacks:

Invent a simple number encryption script, e.g. turn the num into a string, add some extra numbers, turn it back into a number and do a few simple sums on it - multiply it by something, add something else, multiply again, etc until bored - voila, an encrypted number.

You send that encrypted number, along with the actual score in plain text and then on the server decode the encrypted number by reversing the maths and compare with the plain text score. If they match, accept the score. If they don't, then reject the score and bar that IP for 20 mins or so.

I could further complicate it by creating a handful of variations of that encryption function, numbering them say 1 - 5 and sending along the number of the function to use. Disguise that by also sending a bunch of useless values too.

Course I'll also need to obfuscate my SWF to hide the encryption methods used.

JLM
 
2008-06-10

I have done the saving stuff but not sure I have the php, the jpeg encoding is opensource adobe classes and I send with loader and get php to return a small image so that I can get a call back bit hacky but works, decoding depends on the image sent but might be a good project to learn haxe with. But the question was along of the lines yes its possible but no point in me getting something together if you go for something simpler... as you have done and anyway I would prob only want to share the code offline.

JLM
 
2008-06-11

save example I changed and posted in another post

domin8r
 
2008-07-11

Why not just use AMFPHP? k

It's pretty easy to use, faster than sending regular http requests up and down AND the data is serialized so pretty much unreadable for the script kiddies. http://amfphp.org/

Sorry, you must be a member to post to a conversation. Either log in or sign up to get involved.
TwelvestoneFlash

Protecting POST data from the script kiddies

Powered by Twelvestone Hosted Forums