Aldaron

I have a website with Flash games on it that uploads scores in a few of the games to MySQL database tables. Though recently a friend showed me he can preform cross-site scripting and insert scores via a carefully designed form via websites and Javascripts by using my PHP file. Usually I know what to do with these things, but for some reason I can't figure this one out, or maybe I don't have a very good start at all. How can I make sure (with the following script) that the Flash files on my website are the only files utilizing a PHP file? If it helps, here's the PHP file... [code]$name_max = 16; # Maximum player name length allowed $display_max = 100; # Maximum number of scores to display (multiple of 10) $table_max = 125; # Maximum number of scores kept in table function error_msg($msg) {    exit("success=0&errorMsg=$msg"); } $player_name = $_POST['name']; $player_score = $_POST['score']; $game_name = $_POST['game']; $table_name = 'games_' . strtolower($game_name); $player_ip = $_SERVER['REMOTE_ADDR']; if (!isset($game_name)) error_msg('Could not access game table.'); require_once("db.php"); $link = @mysql_pconnect($db_hostname, $db_username, $db_password) or error_msg('Could not connect to database.'); mysql_select_db($db_name) or error_msg('Could not access database.'); # Saving new score? if (isset($player_score) && is_numeric($player_score) && isset($player_name) && strlen($player_name) > 0 && strlen($player_name) <= $name_max) {    # Is this IP banned?    $query = mysql_query('SELECT ip FROM games_banned_ip') or error_msg('Could not access database.');    while ($row = mysql_fetch_row($query))    {       if ($player_ip == $row[0]) error_msg('Sorry, high scores have been disabled for your computer.');    }    # Has this name played already?    $query = mysql_query("SELECT name, score FROM $table_name") or error_msg('Could not access database.');    $num_rows = mysql_num_rows($query);    $name_found = false;    while ($row = mysql_fetch_row($query))    {       if ($player_name == $row[0])       {          $name_found = true;          break;       }    }    if ($name_found)    {       # If name already exists, and score is good enough, update it       if (((int)$player_score) > ((int)$row[1])) mysql_query("UPDATE $table_name SET score='$player_score' WHERE name='$player_name'") or error_msg('Could not update score.');    }    else    {       # If scores table is full, check score and delete lowest entry before inserting       if ($num_rows >= $table_max)       {          $query = mysql_query("SELECT name, score FROM $table_name ORDER BY score ASC LIMIT 0, 1") or error_msg('Could not retrieve scores.');          $row = mysql_fetch_row($query);          $good_score = (((int)$player_score) > ((int)$row[1]));          if ($good_score) mysql_query("DELETE FROM $table_name WHERE name='$row[0]'") or error_msg('Could not delete score.');       }       else $good_score = true;       # Insert new name, score and ip       if ($good_score) mysql_query("INSERT INTO $table_name VALUES ('$player_name', '$player_score', '$player_ip')") or error_msg('Could not insert score.');    } } # Return new scores table $query = mysql_query("SELECT name, score FROM $table_name ORDER BY score DESC LIMIT 0, $display_max") or error_msg('Could not retrieve scores.'); $i = 1; echo 'success=1&errorMsg=OK&maxScore=' . $display_max; while ($row = mysql_fetch_row($query)) {    echo "&name$i=$row[0]&score$i=$row[1]";    $i++; } mysql_close($link);[/code]