Points (PTS) in flash game

2019-08-30 04:06发布

问题:

A friend to me made a flash game for my website. The game makes a request to /game/p00ints.php with the points in $_POST['points'].

But, a hacker can easy find out how to get more points I guess, so, how can my friend or I fix this security hole?

Best regards,

Erik Persson

回答1:

The way to fix this is have all the point calculation on the server and have the client send raw input (e.g. hold left arrow key 1 second, enter key press, hold left mouse button 2 seconds, etc.). Even then, attackers can still write bots to bypass your flash client (but the bots will have to send raw input). I understand implementing this is complex, but I think this is the most secure solution.

Adding a private key to the flash file may be enough of an obstacle for a casual game. However, it provides no real security, because someone can easily decompile the SWF.



回答2:

Quick solution - add some checksum as a second parameter, for example md5("secretword"+md5(points)). It will make hacker's life harder and hopefully they won't bother.

I don't think there is absolute 100% secure solution as flash can be decompiled.