如何保护/编码 Javascript POST 请求 [英] How to secure/encode Javascript POST requests
问题描述
我有一个游戏,我的 JavaScript 通过 POST 调用 PHP 脚本来更改数据库中的值.如何防止有人重复重复请求并给自己十亿分?
I've a game in which my JavaScript calls PHP scripts via POST to change values in the database. How can I prevent someone repeatedly duplicating the request and giving themselves a billion points?
现在我通过 sha1()
传递密码并检查它是否在 PHP 端,但这不会阻止有人重复请求.
Right now I pass a password through sha1()
and check if it's there on the PHP side, but this wouldn't stop someone repeating the request.
我不能使用时间戳,因为在调用(JS POST 请求)和运行 PHP 脚本之间会有时间流逝.
I can't use timestamps because time will lapse between call (JS POST request) and run of the PHP script.
- 我的 PHP 脚本不会增加数据库值 (points=points+10),而是获取传递给它的值并更新字段 (points=300)
- 我针对游戏中的每个互动(以及导致积分上升的每个互动)更新了几个表格.其中之一会跟踪每次投票.该表只允许用户对任何图像进行一次投票.如果我先执行此更新,如果用户尝试重复此请求,结果将返回错误,我可以终止 PHP 脚本.
- My PHP script doesn't increment the database values (points=points+10), it takes the values passed to it and updates the field (points=300)
- I update several tables on each interaction (well each interaction which result in points going up) in the game. One of these keeps track of every vote. This table only allows a user to vote on any image once. If I were to do this update first, if the user has tried to repeat this request, the result would return an error and I could kill the PHP script.
推荐答案
听起来很多这种逻辑现在仍然是客户端,所以你不能阻止某人多次发送score.php?score=1000".
It sounds like a lot of this logic now remains clientside, so you can't stop someone from sending "score.php?score=1000" multiple times.
在服务器端添加逻辑来检查给定请求的执行频率,或者更好的是,完全在服务器端执行游戏逻辑(这样用户就不必提交自己的分数,而只是请求某个游戏要执行的操作,最终产生一个分数,然后可以将其添加到用户).
Add logic to the server side that checks how often a given request can be executed, or, even better, execute game logic completely serverside (so the user won't have to submit his own score, but simply requests a certain game action to be executed, eventually resulting in a score which could then be added to the user).
这篇关于如何保护/编码 Javascript POST 请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!