So my game does not send any sensitive data: just anonymous score values. Still, having it all on the table via seems kind of insecure?
Basically it is very easy to inject something there or to exploit this url to add anything you want to the database (mysql).
Can you recommend any ways to prevent this?
Develop games in your browser. Powerful, performant & highly capable.
I gave an answer to this a while back for someone else. Maybe it will help you...
troublesum, thanks, that was a really insightful answer. So basically the approach to security here is the same as anywhere else.
I'm just wondering whether it is worth it to deal with all the handshakes and encryption just to send anonymous scores. Even if someone dropped the entire mysql table I'd just reup it from backup. On the other hand, why tempt fate.... I'll have a look at how cumbersome to implement would the mechanisms you described be.
It's probably best to not just have your sql open to any query it gets.
A really simple solution would be to sanitize the data via PHP on the back end so that the only thing that would ever happen from an AJAX call would be that a number is added to the high score. That way, even if they tried to send an injection, it would end up as just a number, and dropped on the high score.
More advanced would be to format the number in a specific way so that if any other number was received (such as an injection attack), it wouldn't even add that false high score.
I would suggest a PDO operation, instead of mysqli, but if that's not an option for you, you can still sanitize mysqli.
Look into "Prepared Statements". They exist for various languages and exist to solve the problem of injection.