How do I prevent unauthorized posts when using Ajax?

0 favourites
  • 10 posts
From the Asset Store
Antisuspend Plugin for Construct 3 prevents the runtime from getting suspended.
  • How do I prevent someone from figuring out the PHP Post url and then manually entering data outside of the app just by using the URL with the POST variables in it, or creating a html form with method POST?

  • You can add a hash to every message, and check this hash on the server side. Both the server and your app need to have the same key and the same hashing function.

    But this will still not protect from an experienced hacker, who can disassemble your app and find the key.

  • Try Construct 3

    Develop games in your browser. Powerful, performant & highly capable.

    Try Now Construct 3 users don't see these ads
  • Can you explain how to do that?

    Wouldn't the key just get passed as a Parameter in the url which could just be copied and used in an external form, url, or app?

  • No, you don't pass the key, it should be kept in secret inside the app and on your server.

    For example, you want to send PlayerName and PlayerScore.

    First you need generate a HashValue = HashFunction(PlayerName & PlayerScore & SecretKey).

    Then you send three fields to the server: PlayerName, PlayerScore and HashValue.

    On the server in php file you need to generate the same hash again, using PlayerName, PlayerScore from the request, and the key stored on the server.

    If both hashes match, then you can be sure that the data was sent by your app and was not compromised.

    .

    I used CBHash plugin (you can find it here) to generate hashes in C3. But you'll also need the same hash function on the server side, I'm sure you can find how to do it on Stackoverflow.

  • No, you don't pass the key, it should be kept in secret inside the app and on your server.

    For example, you want to send PlayerName and PlayerScore.

    First you need generate a HashValue = HashFunction(PlayerName & PlayerScore & SecretKey).

    Then you send three fields to the server: PlayerName, PlayerScore and HashValue.

    On the server in php file you need to generate the same hash again, using PlayerName, PlayerScore from the request, and the key stored on the server.

    If both hashes match, then you can be sure that the data was sent by your app and was not compromised.

    .

    I used CBHash plugin (you can find it here) to generate hashes in C3. But you'll also need the same hash function on the server side, I'm sure you can find how to do it on Stackoverflow.

    Ok so inside C3, I just do the following...

    Event-> SHA-256 - Hash -> var1&var2 (or do I has each var individually?)

    Then I guess I am stuck on what to do to call the hashed values into Ajax to send to the server. Is it CBHash.get_lastResult?

  • Is it safe?

    Is it possible to see the encryptation formula inside the js files?

  • A hash is a bit different than encryption.

    The hash simply tells you if the data has been altered.

    They would have to alter the game code to elicit a specific response to a specific hash.

    If it were just a single character that might work, multiple, not so much.

    Keep in mind that all that is magnitudes more work then simply looking up methods to break encryption.

    Not that regular obfuscation/encryption wouldn't most likely deter 99% of would be hackers.

  • Brilliant, easy enough for me to figure out.

    So for anyone who stumbles across this thread. Here is what I did to make this work properly.

    - Get the plugin CBHash for C3.

    - Set a key somewhere in your project. I set it as a instance variable on a random object that I will remember. The key Example is RandomObject.key (which would be 1234567890 if you looked at the variable)

    - Event -> CBHash -> Hash PlayerName&RandomObject.key (Hexadecimal)

    - Event -> System -> Set Variable1 to CBHash.get_lastResult

    - Event -> Ajax -> Request "https://somedomain.com/somefile.php?name=PlayerName&hash=Variable1

    Then in your PHP File it would work like this. Could be GET, REQUEST, or POST I assume.

    $player = $_REQUEST['name'];

    $hashed = $_REQUEST['hash'];

    $key = '1234567890'; //<--- Nobody should see this since its in php.

    $str = $player . $key;

    if (md5($str) === $hashed) {

    //Do something here

    }

  • Wait....I am missing something here.

    If I take the

    Domain.com/file.php?Player=JoeCool&hash=generatedhash

    And just paste that into a browser it still gives me information. They dont need the key because you are already passing the hash to the server.

    So when the server checks if

    $player . $key equals the $hash passed in the url it's going to work for the app or just pasted right into a browser.

    What am I missing?

  • Nevermind. This will only allow them to retrieve their own information because that hash is unique to only them. If they tried INSERT data into the database they wouldn't be able to because they don't have a key to generate the correct hash to match the server.

    So I guess my code is fine then.

Jump to:
Active Users
There are 1 visitors browsing this topic (0 users and 1 guests)