[nycphp-talk] Tamperproof URLs and PHP slides posted
John Campbell
jcampbell1 at gmail.com
Wed Dec 12 10:32:50 EST 2007
Thanks for the presentation.
I have a question that is related, but along different lines. I have
a flash game that saves high scores to the server and I want to
prevent high scores from being forged.
Initially the scores were send as a simple post request, e.g.
name=john&score=1000. This is a problem because it is trivial to
forge the request. So my solution was to create the post request as
follows:
name=john&score=1000&checksum= . md5(md5("My secret") . name . score)
on the server side, I can verify the checksum.
This works well enough, but an enterprising hacker can download my swf
file and run `strings game.swf` to extract "My secret", and then they
can forge the request. Is there any cryptography method that
guarantees the request is coming from my code?
Thanks,
John Campbell
More information about the talk
mailing list