{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 beautiful° 的问题《Points (PTS) in flash game》','https://www.manongdao.com/q-1058616.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
A friend to me made a flash game for my website. The game makes a request to /game/p00ints.php with the points in $_POST['points'].
But, a hacker can easy find out how to get more points I guess, so, how can my friend or I fix this security hole?
Best regards,
Erik Persson
The way to fix this is have all the point calculation on the server and have the client send raw input (e.g. hold left arrow key 1 second, enter key press, hold left mouse button 2 seconds, etc.). Even then, attackers can still write bots to bypass your flash client (but the bots will have to send raw input). I understand implementing this is complex, but I think this is the most secure solution.
Adding a private key to the flash file may be enough of an obstacle for a casual game. However, it provides no real security, because someone can easily decompile the SWF.
Quick solution - add some checksum as a second parameter, for example md5("secretword"+md5(points)). It will make hacker's life harder and hopefully they won't bother.
I don't think there is absolute 100% secure solution as flash can be decompiled.