-1

I am quite new to web development and recently finally managed to code a simple online game using javascript. The original method I used to manage the high score system was to pass a series of javascript vars into a HTML form, before submitting onto a php script (ie javascript > HTML(form) > PHP > DB):

Javascript:

var score = 345345; //score after playing game
document.theform.score.value = score;
document.theform.submit();

HTML:

<form name="theform" action="scorehandler.php" method="post">
    <input name="score" type="hidden" value="">
</form>

Using this method however allows the user to easily hack by recreating the form and submitting on their own.

I get that the usual approach to prevent users from hacking is probably to do as much of the coding on the server side as possible (ie use php to replace as much of the code as possible), but it seems like it may pose some potential problems for a game especially (e.g. php's synchronous nature)

Is there a way to somehow hide the html form (and relevant javascript vars) from the client-side without having to recode everything in php? Or are there some other standard workarounds to this?

Any help is greatly appreciated!

Poh Zi How
  • 1,489
  • 3
  • 16
  • 38
  • 3
    Javascript/HTML need to be seen to be rendered and accessible via the browser, so there's no methods of securing those. You could go for security through obfuscation but that generally does not work too well. – N.J.Dawson Jul 27 '16 at 07:03
  • there are no ways of securing html and js as it's rendered in client side, but to prevent malicious form submission you can use CSRF token, and there are lots of other ways preventing malicious inputs. – shyammakwana.me Jul 27 '16 at 07:10
  • 4
    Related reads: http://stackoverflow.com/questions/3531968/why-is-client-side-validation-a-security-risk-as-opposed-to-server-side-validati http://stackoverflow.com/questions/13942498/should-you-validate-server-side-if-youre-validating-client-side - Especially the second one. "Never trust anything that comes from the browser." The user has total control over their browser. They can spoof anything. – Sumurai8 Jul 27 '16 at 07:10

1 Answers1

-2

You could generate some kind of hash and nonce key algorithm to send your verifying page.

You would encrypt the score with a hash + salt value, generate a unique nonce value and then send the hash, the score and the nonce to your verifier.

At the verifying stage, you regenerate the hash using the salt + the user submitted score. If both hashes are the same, accept the score. Then check the nonce value (some random bit of data, like a timestamp) to see if the hash has been sent before (to stop users from just copying hashed data and repeatedly sending it) and if the nonce is unique then accept the answer.

Hope that makes a bit of sense.

JavaScript doesn't have any native hashing algorithms, so you can use something like JS library to do your hashing:

https://github.com/blueimp/JavaScript-MD5
Patchesoft
  • 317
  • 6
  • 21