如何通过 PHP AJAX 调用安全地更改玩家数据?

发布于 2024-10-22 01:57:52 字数 399 浏览 3 评论 0原文

在开发 Facebook 游戏时,我意识到我还想不出一种安全的方法来更改用户数据(例如玩家的健康状况),而我想通过 AJAX 调用来实现这一点。如果我使用参数 {userid : 12345, newhealth : 25} 调用诸如 change_user_health.php 之类的脚本,我该如何以阻止用户的方式调用它从偷看脚本并调用该脚本自己到始终给自己充分的健康?

我最初考虑传递一个哈希值(可能是某个值的加盐 MD5 加密),但该哈希值在调用 AJAX 脚本文件的 JavaScript 中是可见的。我可以做什么来调用 AJAX PHP 脚本而不让用户看到 MD5 哈希是如何加盐和组成的?我希望哈希值在其组合中包含健康值(上例中为 25),以便用户不能只是使用相同的哈希值弹出不同的值(例如 100)。

While developing a Facebook game, I'm realizing that I can't yet think of a secure way to change user data (like, for example, player health), which I want to do via AJAX calls. If I call a script such as change_user_health.php with the parameters {userid : 12345, newhealth : 25}, how can I call it in such a way as to prevent users from peeking at the script and calling that script themselves to, say, give themselves full health at all times?

I was originally thinking of passing a hash (perhaps a salted MD5 encryption of a certain value), but this hash would be visible within the JavaScript that calls the AJAX script file. What can I do to call an AJAX PHP script without the user seeing how the MD5 hash is salted and composed? I want the hash to include the health value (25 in the above example) in its composition, so that the user can't just pop in a different value (like 100) with the same hash.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

杯别 2024-10-29 01:57:52

解决方案:将一切都放在服务器端。

比如说,玩家被击中。不是发送设置玩家 HP 的请求 ( setPlayerHP( current_hp - Damage )) 而是

发送请求来通知服务器玩家已被击中,并让服务器处理该请求并在响应中发送剩余的 HP。 (playerHit())

服务器然后应该弄清楚是什么击中了他,以及他穿着什么盔甲。你根本不能相信javascript...例如,如果你随请求一起发送了怪物ID,或者盔甲ID,那么玩家可以很容易地伪造它。

你所喜欢的听起来像是一种有趣的编程体验:)滞后也让事情变得更有趣。

The solution: Make everything server-side.

Say, player get's hit. Instead of doing a request to send set the players HP ( setPlayerHP( current_hp - damage ))

send a request to inform the server that the player has been hit, and let the server handle that and send the remaining hp in the response. ( playerHit() )

The server should then figure out what hit him, and what armor he is wearing. You can't trust javascript at all... If for example you sent the monster id along with the request, or the armor id, then the player could easily forge that.

What you are into sounds like an interesting programming experience :) Lag makes things a lot funnier, too.

不离久伴 2024-10-29 01:57:52

以下是有关可用于缓解该问题的技术的讨论:如何检查AJAX 请求的真实性

Here's a discussion on techniques you could use to mitigate the problem: How to Check Authenticity of an AJAX Request

梦一生花开无言 2024-10-29 01:57:52

因此,您可以做的第一件事是查看请求是否来自 ajax 请求,例如:

if(!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
  // a valid ajax request
} else {
 // not a valid ajax request

}

您现在应该探索:

  1. 在 JS 变量中设置秘密哈希(并将其保存在
    页面渲染时的会话)。

  2. 每当您发送该秘密哈希值
    发出 ajax 请求(POST 或 GET,无论您使用什么)。

  3. 当您处理请求时,首先
    检查请求是否来自
    xmlhttprequest,然后确保
    随请求发送的密钥等于
    会话变量中设置的一个。

祝你好运!

So the first thing you can do is see if the request came from an ajax request, such as this:

if(!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
  // a valid ajax request
} else {
 // not a valid ajax request

}

You should now explore:

  1. setting a secret hash in a JS variable (and save it in
    a session) when the page is rendered.

  2. send that secret hash whenever you
    make an ajax request (POST or GET, whatever you are using).

  3. When you process the request, first
    check if the request came from an
    xmlhttprequest, then make sure that
    the key sent with the request equals
    the one set in the session variable.

Good Luck!

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文