Hey, i am trying to make a php/mysql high score board to interact with flash. Bascially at the end of my flash game they can hit submit score (which will submit it to the high score boards). Then the flash program links to something like www.mysite.com/highscore.php?score=$score_varible but, then it need to check to see if the person is logged in to submit their score and not logged in through the flash game but in my site, like the user login script which im not sure how to do on the highscore.php page then i also want to know.... See people could forge thier score by going to [url]www.mysite.com/highscore.php?&score=$score_varible and putting like 99999 for the score, SO MY QUESTION IS:
How can i check to see which website the person is coming from.. like so they have to be coming from [url]www.mysite.com/game.html or else it says Invalid or something.
Thanks,
Brcolow

THIS IS THE REAL QUESTION DISREGARD THE LAST POST!

Hey, i am trying to make a php/mysql high score board to interact with flash. Bascially at the end of my flash game they can hit submit score (which will submit it to the high score boards). Then the flash program links to something like www.mysite.com/highscore.php?score=$score_varible but, then it need to check to see if the person is logged in to submit their score and not logged in through the flash game but in my site, like the user login script which im not sure how to do on the highscore.php page then i also want to know.... See people could forge thier score by going to www.mysite.com/highscore.php?&score=$score_varible and putting like 99999 for the score, SO MY QUESTION IS:
How can i check to see which website the person is coming from.. like so they have to be coming from www.mysite.com/game.html or else it says Invalid or something.
Thanks,
Brcolow

if ($HTTP_REFERER == 'http://mysite.com')
add_scores();
else
error_fake_score();

$_SERVER['HTTP_REFERER'] that should be.

However be aware that not everyone displays their referer information for a site to read. Most people with personal firewalls probably block that information.

Umm.


$ cat >/tmp/t.txt<<EOF
GET http://www.yoursite.com/setscore?score=12345678 HTTP/1.0
Accept: */*
Referer: http://www.yoursite.com
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)
Host: www.yoursite.com
EOF
$ cat /tmp/t.txt | nc www.yoursite.com 80


NEVER, EVER, EVER rely on the referer field.

or if you rely on PHP session and POST vars:

curl -e http://mysite.com/game.html -A "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)" -d score=999999 -b "PHPSESSID=ht08febf7202d8732979108a4a87af90a1" http://www.mysite.com/highscore.php

Solution might seem to be to POST data and to have data encoded in the flash movie in the way that is known only to us. The problem with this is that you have to assume that one might be able to see the action script in yuor movie and reproduce it.

The thing you might want to look in is XMLSocket function in Flash.

Just a thought about checking to see if poeple are logged in, crearte a database, or table in a databse of users, use cookies and have a loop check the info in the cookie against the users table/database to make sure that they are logged in and a valid user.

$ cat >/tmp/t.txt<<EOF
GET http://www.yoursite.com/setscore?score=12345678 HTTP/1.0
Accept: */*
Referer: http://www.yoursite.com
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)
Host: www.yoursite.com
EOF
$ cat /tmp/t.txt | nc www.yoursite.com 80

How the hell that is NOT php!?
And also, whats wrong with the refer field?

And also, whats wrong with the refer field?

It can be faked with a minimal amount of time, effort and knowledge. The referer field should never be relied upon for authentication of a request.

Best wishes,
Simon.

Not only can it be faked... it can be omitted complete. As I said above almost all the personal firewalls block referer information by default.

ok,
So how else can i do it...

$ cat >/tmp/t.txt<<EOF
GET http://www.yoursite.com/setscore?score=12345678 HTTP/1.0
Accept: */*
Referer: http://www.yoursite.com
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)
Host: www.yoursite.com
EOF
$ cat /tmp/t.txt | nc www.yoursite.com 80

To see makes no sense whatsoever, that cant be php! So how can i do it?