Forum Moderators: coopster
Anyway this is what my game will pass to the php file on my server:
www.mysite.com/awardgivemm1.php?zx35=43&awardid=1&str=4a366113efdeea06367bb7fd0b04343f
In the php file on my server:
<?php
$con = mysql_connect("localhost","database","pass");
if (!$con)
{
echo "8";
}
$today = date("Ymd");
mysql_select_db("database_forum", $con);
$check_if_got_award = mysql_query("SELECT ID_MEMBER , ID_AWARD FROM smf_awards_members WHERE ID_MEMBER='{$zx35}' AND ID_AWARD='{$awardid}'");
$awardidmember="{$awardid}000{$zx35}";
if(mysql_num_rows($check_if_got_award)==0)
{
$give_award = mysql_query("SELECT ID_MEMBER FROM smf_members WHERE ID_MEMBER=$zx35");
while ($row = mysql_fetch_assoc($give_award))
{
if ($row['ID_MEMBER']==$zx35)
{
if ($str == '4a366113efdeea06367bb7fd0b04343f')
{
mysql_query("INSERT INTO smf_awards_members (ID_AWARD_MEMBER , ID_AWARD , ID_MEMBER , dateReceived) VALUES ($awardidmember, $awardid, $zx35, $today)");
echo '1';
}
}
}
}
if(mysql_num_rows($check_if_got_award)!==0)
{
echo '5';
}
mysql_close($con);
?>
You see at the moment it is completely insecure.
[edited by: Ben878 at 5:47 pm (utc) on Feb. 9, 2008]
or you could do the random string thing..
however passing variables through urls is never a safe way to do things. well not never but.. you get the point.
If it's on a phone without that sort of option available and about the only way to do it is to pass it on the url, then I think about the easiest way to do it would be to encypher the score and user id, possibly combining it with the time and date. Then on the php end you decypher it and if the info looks valid you insert it into the database.
You'd do crazy things to the data like adding 346 or multiplying by 7, something you can undo on the database end. The reason the date/time might be useful is if someone tries to send the same data twice - you could log the date/time along with the score and if it's a repeat you reject it.
