How to securely send game data?

[Rifts]

Hey guys!

 

I'm creating a simple php game and I'm not sure how much security to add.

 

For instance If I have a system that submits the users score to my mysql database do I need to do something with this value so it can not be tampered with? I don't want someone to be able to change the value and cheat.

 

I was looking into using a secret key or token but I'm kind of confused as to how to implement them.

 

Thanks for the help

[requinix]

It depends where you're doing the work. Is it all in PHP or is some part of it in JavaScript or HTML?

[Rifts]

It varies.

 

Some stuff go from my iphone app to php and then also from php to iphone.

[requinix]

I'll put it this way: anything that originates from something outside of your direct control (3rd-party APIs, data from an iPhone app) or that has passed through the user (HTML forms, URLs) is not safe.

[Rifts]

how can I help make it safe?

[requinix]

Depends on the data, depends where it's going. Sometimes you just escape it, sometimes you have to actually encrypt or encode it. There is no blanket answer.

 

The problem you face is that the app has to communicate with your server, and (theoretically) someone could watch the data being sent and then fake their own version. Here you would probably encrypt it; SSL should be adequate for that. So make sure your server is set up for an SSL site and... that's about it.

 

Disclaimer: I don't develop apps, I've never had to tackle this problem before. So find yourself an experienced app developer (maybe here on phpfreaks) and ask what they would do.

[scootstah]

The problem you face is that the app has to communicate with your server, and (theoretically) someone could watch the data being sent and then fake their own version. Here you would probably encrypt it; SSL should be adequate for that. So make sure your server is set up for an SSL site and... that's about it.

 

This seems like the best, and easiest way to go.

 

If you don't want to (or for some reason can't) use SSL, you will have to encrypt the data manually. Both ends of the connection will have to know how to encrypt/decrypt the data.

[MMDE]

The problem you face is that the app has to communicate with your server, and (theoretically) someone could watch the data being sent and then fake their own version. Here you would probably encrypt it; SSL should be adequate for that. So make sure your server is set up for an SSL site and... that's about it.

 

This seems like the best, and easiest way to go.

 

If you don't want to (or for some reason can't) use SSL, you will have to encrypt the data manually. Both ends of the connection will have to know how to encrypt/decrypt the data.

 

It shouldn't be possible to send the same "encrypted" data twice, so it should encrypt the data sent depending on something numbers or messages you send it first. Only case it can use the same data again then is if you send the same data to it first. This alone makes it much harder to cheat. Make sure people can't spam your server to get the same data sent twice, and that it's no easy way to tell what you've done with the data, so anyone sniffing sits there confused, giving up instead of putting a lot of effort into hacking just a mere game. It depends on your game though, how big it is.

[Rifts]

ok thanks I think that helps a lot, this weekend I will try to setup a SSL cert on my godaddy hosting.

 

Thanks

 

 

[xyph]

If you have encryption libraries available in the app you're programming, you'd probably be best to do that. The attacker would have to decompile the application to get at the public key. It's possible to make decompiling very difficult, from what I've read and understand.

 

If the application has to run on the client, there will always be potential to break it.