如何通过 PHP AJAX 调用安全地更改玩家数据?
在开发 Facebook 游戏时,我意识到我还想不出一种安全的方法来更改用户数据(例如玩家的健康状况),而我想通过 AJAX 调用来实现这一点。如果我使用参数 {userid : 12345, newhealth : 25}
调用诸如 change_user_health.php
之类的脚本,我该如何以阻止用户的方式调用它从偷看脚本并调用该脚本自己到始终给自己充分的健康?
我最初考虑传递一个哈希值(可能是某个值的加盐 MD5 加密),但该哈希值在调用 AJAX 脚本文件的 JavaScript 中是可见的。我可以做什么来调用 AJAX PHP 脚本而不让用户看到 MD5 哈希是如何加盐和组成的?我希望哈希值在其组合中包含健康值(上例中为 25),以便用户不能只是使用相同的哈希值弹出不同的值(例如 100)。
While developing a Facebook game, I'm realizing that I can't yet think of a secure way to change user data (like, for example, player health), which I want to do via AJAX calls. If I call a script such as change_user_health.php
with the parameters {userid : 12345, newhealth : 25}
, how can I call it in such a way as to prevent users from peeking at the script and calling that script themselves to, say, give themselves full health at all times?
I was originally thinking of passing a hash (perhaps a salted MD5 encryption of a certain value), but this hash would be visible within the JavaScript that calls the AJAX script file. What can I do to call an AJAX PHP script without the user seeing how the MD5 hash is salted and composed? I want the hash to include the health value (25 in the above example) in its composition, so that the user can't just pop in a different value (like 100) with the same hash.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
解决方案:将一切都放在服务器端。
比如说,玩家被击中。不是发送设置玩家 HP 的请求 ( setPlayerHP( current_hp - Damage )) 而是
发送请求来通知服务器玩家已被击中,并让服务器处理该请求并在响应中发送剩余的 HP。 (playerHit())
服务器然后应该弄清楚是什么击中了他,以及他穿着什么盔甲。你根本不能相信javascript...例如,如果你随请求一起发送了怪物ID,或者盔甲ID,那么玩家可以很容易地伪造它。
你所喜欢的听起来像是一种有趣的编程体验:)滞后也让事情变得更有趣。
The solution: Make everything server-side.
Say, player get's hit. Instead of doing a request to send set the players HP ( setPlayerHP( current_hp - damage ))
send a request to inform the server that the player has been hit, and let the server handle that and send the remaining hp in the response. ( playerHit() )
The server should then figure out what hit him, and what armor he is wearing. You can't trust javascript at all... If for example you sent the monster id along with the request, or the armor id, then the player could easily forge that.
What you are into sounds like an interesting programming experience :) Lag makes things a lot funnier, too.
以下是有关可用于缓解该问题的技术的讨论:如何检查AJAX 请求的真实性
Here's a discussion on techniques you could use to mitigate the problem: How to Check Authenticity of an AJAX Request
因此,您可以做的第一件事是查看请求是否来自 ajax 请求,例如:
}
您现在应该探索:
在 JS 变量中设置秘密哈希(并将其保存在
页面渲染时的会话)。
每当您发送该秘密哈希值
发出 ajax 请求(POST 或 GET,无论您使用什么)。
当您处理请求时,首先
检查请求是否来自
xmlhttprequest,然后确保
随请求发送的密钥等于
会话变量中设置的一个。
祝你好运!
So the first thing you can do is see if the request came from an ajax request, such as this:
}
You should now explore:
setting a secret hash in a JS variable (and save it in
a session) when the page is rendered.
send that secret hash whenever you
make an ajax request (POST or GET, whatever you are using).
When you process the request, first
check if the request came from an
xmlhttprequest, then make sure that
the key sent with the request equals
the one set in the session variable.
Good Luck!