How to secure AJAX requests?

Get help using Construct 2

Post » Thu Aug 21, 2014 1:57 pm

So my game does not send any sensitive data: just anonymous score values. Still, having it all on the table via www.xx.com?score=5 seems kind of insecure?

Basically it is very easy to inject something there or to exploit this url to add anything you want to the database (mysql).
Can you recommend any ways to prevent this?
B
16
S
7
G
1
Posts: 158
Reputation: 3,125

Post » Thu Aug 21, 2014 4:48 pm

I gave an answer to this a while back for someone else. Maybe it will help you...
https://www.scirra.com/forum/viewtopic.php?f=147&t=111694&p=813850#p813850
B
20
S
7
G
1
Posts: 221
Reputation: 2,077

Post » Thu Aug 21, 2014 6:58 pm

@troublesum, thanks, that was a really insightful answer. So basically the approach to security here is the same as anywhere else.

I'm just wondering whether it is worth it to deal with all the handshakes and encryption just to send anonymous scores. Even if someone dropped the entire mysql table I'd just reup it from backup. On the other hand, why tempt fate.... I'll have a look at how cumbersome to implement would the mechanisms you described be.
B
16
S
7
G
1
Posts: 158
Reputation: 3,125

Post » Thu Aug 21, 2014 9:06 pm

It's probably best to not just have your sql open to any query it gets.
A really simple solution would be to sanitize the data via PHP on the back end so that the only thing that would ever happen from an AJAX call would be that a number is added to the high score. That way, even if they tried to send an injection, it would end up as just a number, and dropped on the high score.

More advanced would be to format the number in a specific way so that if any other number was received (such as an injection attack), it wouldn't even add that false high score.

I would suggest a PDO operation, instead of mysqli, but if that's not an option for you, you can still sanitize mysqli.
B
3
Posts: 6
Reputation: 183

Post » Mon Dec 01, 2014 8:11 pm

Look into "Prepared Statements". They exist for various languages and exist to solve the problem of injection.
https://www.ravenheart.ca/home
Company name changed to avoid Facebook-type shenanigans

"Someone once told me I bite off more than I can chew...

I told them I would rather choke on greatness than nibble on mediocrity."
B
22
S
6
G
1
Posts: 1,415
Reputation: 4,824


Return to How do I....?

Who is online

Users browsing this forum: AndreasR, Artepi, karthikavnair, Rable and 15 guests