2

I am planning on making a game with actionscript 3.0 (flash). However, I am having some security issues on saving user points.

To be more specific, read below and you'll understand what's the exact problem.

  1. You are starting my flash application. PHP creates a session for your username. Playing for few minutes and reaching 750 points.
  2. You click on "Save my points" button.
  3. It connects "game.php?points=[]" with your point amount, hence, game.php?points=750.
  4. PHP connects to MySQL and does an update/insert query with the username you entered when opening application, and gets the points with $_GET['points'] as you can see on 3.

The issue is, Anyone who could directly browse "game.php?points=999999999999" would have his points saved in the database.

I thought about encrypting the points, however, Flash is a client-side application and anyone could change the "points" value with an application like "Cheat Engine". Once they change the points, encrypted points will automatically be generated by Flash.

I also thought about creating a private key for each player on their signup and encrypt accordingly, but it also won't work because once an user change his points with Cheat Engine, flash will automatically encrypt the points with given private key, hence, another useless theory...

Some people suggested me to use SSL, just because popular companies like Zynga uses it, but I am looking for other theories here.

Any ideas on this case, except using SSL?

Ps. The game will be a MMO, so securing data transaction is an essential.

Aristona
  • 8,611
  • 9
  • 54
  • 80
  • possible duplicate of [What is the best way to stop people hacking the PHP-based highscore table of a Flash game](http://stackoverflow.com/questions/73947/what-is-the-best-way-to-stop-people-hacking-the-php-based-highscore-table-of-a-f) – weltraumpirat Nov 13 '11 at 00:53
  • @weltraumpirat That is by no means a solution, you should delete this comment. – rook Nov 16 '11 at 02:06
  • @Rook I beg to differ. The question is almost identical, and the accepted answer includes everything that was said below. – weltraumpirat Nov 16 '11 at 05:53
  • @weltraumpirat your right about the question. however the answer is painfully incorrect. – rook Nov 16 '11 at 07:20
  • @Rook DO read it again. It iterates all possible forms of encryption - and then finally states why they won't help, and what else could be done. It's one of the best answers I've seen on SO, and it didn't get 200+ votes for nothing... – weltraumpirat Nov 16 '11 at 11:17

2 Answers2

1

For a real secure approach you need to move your game's logic to the server as much as possible and ideally make the flash movie just an interface to show the game's current state to the user.

Check out Yeldarb's post in this thread for a good explanation.

nobody
  • 10,599
  • 4
  • 26
  • 43
0

First of all SSL doesn't help you at all. It sounds like you have never heard of Tamperdata.

This is a classic CWE-602 violation. Cryptography does not address these problems because the attacker has more control over the application than you do. There is no place to hide a secret.

rook
  • 66,304
  • 38
  • 162
  • 239