stackoom
  简体   繁体   中英

How to make a php script accept data only from a certain application

 原文  2013-01-19 14:18:07       php/ controls

Question

I'm making an application that communicates with a php page on my server.

With that page I can set scores into the database.

I use post variables to store scores in the db, everything works fine, but if I analyze with wireshark what my game is sending to the page and I re-do the POST request with different data, the page is storing that data on the db.

How can I accept data storing ONLY from my game?

The game is a Java applet, the server is written in PHP

1 answers

solution1
 3 ACCPTED  2013-01-19 14:29:03

You need a way to let the php script know that the data received is genuine.

client side

Put the all the data to be sent concatenated into a string. Put into the string also the current date and time (client side). You need to send that information too.

Then "salt" the string with some more data, either a static string " xyw#q''wz " for example or better something you derive from the sent data.

Let's call that string the check-string

Finally calculate the MD5 hash of the check-string and send it along with your data and current date and time.

server side

The php script receive all the data and the MD5 hash.

Do the same operations on the data received (concatenation, salting, etc..) to re-build the check-string , exactly in the same way you did client-side.

Calculate its MD5 and compare the two hashes: the one received and the one just calculated.

If they match then data is genuine and can be added to the database. Otherwise it is not or it have been reposted.

-

summary

client : data -> build string -> make MD5 from string -> send data & MD5

server : data (received) -> build string -> make MD5 from string

(client side MD5 == server side MD5) ? YES data genuine : NO fake or repost

-

how it works

for any set of data there is only one valid MD5 hash. If someone wants to post fake data he need to pass a valid MD5 too. But he doesn't know how the MD5 is built up.

To make things harder for the hacker I told you to "salt" the string with some random data.

This is just one way (the easier I think) to achieve what you want.

Note that if the client side app would have been written in JavaScript (instead of Java) this approach would have been very vulnerable as the JS code would have exposed the process of building up the check-string .

As a last note: that's not bulletproof. A smart hacker could still guess how you build up the check-string or decompile the Java and (with some effort) find how the check-string is build up to generate the MD5 for his fake data.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to make a php script executable only from another php script Iframe accept request only from a certain page How to: Text field only accept certain words How can I stop certain part of my php script from executing? (to make my page load faster) PHP script only allow traffic from a certain domain? How to accept only certain special characters while accepting a location address in PHP? PHP make sure that a file is called only from a certain server How do I make a script to grab certain piece of data from a JSON API? http_post() variables to php script from SMS message but only append data to text file if certain variable (telephone number) equals a known Only accept certain file types during PHP file upload
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM