dsjlqkbpn029473708 2010-03-19 02:18
浏览 118
已采纳

如何在PHP中更安全地处理AJAX请求?

Ok, so I want to send AJAX requests to my website from my Flash games to process data, but I don't want people downloading them, decompiling them, then sending fake requests to be processed, so I'm trying to figure out the most secure way to process in the PHP files. My first idea was to use Apache's built in Authorization module to require a username and password to access the pages on a separate subdomain of my website, but then you'd have to include that username and password in the AJAX request anyway so that seems kind of pointless to even try.

My current option looks pretty promising but I want to make sure it will work. Basically it just checks the IP address being sent using REMOTE_ADDR to make sure it's the IP address that my server runs on.

<?
$allowed = new Array("64.120.211.89", "64.120.211.90");
if (!in_array($_SERVER['REMOTE_ADDR'], $allowed)) header("HTTP/1.1 403 Forbidden");
?>

Both of those IP addresses point to my server. Things I'm worried about:

1) If I send a request from Flash/ActionScript, will that affect the IP address in any way?

2) Is it possible for malicious users to change the IP address that is being sent with REMOTE_ADDR to one of my IP addresses?

Any other ways you would suggest that might be more secure?

  • 写回答

4条回答 默认 最新

  • dongyang4615 2010-03-19 05:55
    关注

    I've really been thinking about this. People hack games to get #1 on the scoreboard, correct? That's the only reason, they want to be on top. So, I've decided to completely get rid of the global scoreboard. Users, of course, will have their personal scores recorded so they can compete against themselves, but other than that, each game will simply give users an award for accomplishing some specific task. That way score is irrelevant. Whether you get 1,000,000 or 1,000, you still get the same award. This will deter hackers because their efforts are meaningless. Yes, I can still implement some form of lower-level security when transmitting data to the server via AJAX requests, but really it wouldn't seem very logical for someone to hack my game just to get an award that is exactly the same as any award anyone else has received. I know it seems like I'm kind of avoiding the issue, but really I'm not. I'm facing the real issue which is the hackers and pretty much demolishing their motivation to hack the game while still maintaining that sense of competition. Most hackers do it to gain attention, so they can look at the scoreboard and say, 'Yeah, I hacked the game to get that score.' But if they only have a little icon in their profile, who's going to care?

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(3条)

报告相同问题?

悬赏问题

  • ¥15 急matlab编程仿真二阶震荡系统
  • ¥20 TEC-9的数据通路实验
  • ¥15 ue5 .3之前好好的现在只要是激活关卡就会崩溃
  • ¥50 MATLAB实现圆柱体容器内球形颗粒堆积
  • ¥15 python如何将动态的多个子列表,拼接后进行集合的交集
  • ¥20 vitis-ai量化基于pytorch框架下的yolov5模型
  • ¥15 如何实现H5在QQ平台上的二次分享卡片效果?
  • ¥15 python爬取bilibili校园招聘网站
  • ¥30 求解达问题(有红包)
  • ¥15 请解包一个pak文件