I currently have a JS game posted on my website. I want to have an HTML form that get's the user's name and submits it to the server (saved on just a text file). At the moment, I could use PHP so that website/game/scores.php?action=submit&name="Player's Name"&score="Player's Score". I'm pretty confident that this would work. However, anyone who could read my HTML could just pass a fake score onto that function.
How should I approach this security problem?
Note: I know SQL would probably work better for this situation, but I'm not interested in learning mySQL yet!
Thanks in advance.
EDIT: Now I have another problem. The PHP isn't getting the POST parameters from the form. Code is below:
JS:
var form = document.createElement("form");
form.setAttribute("method", "post");
form.setAttribute("action", "http://michaelman.net/snake/scores.php");
var dataField = document.createElement("input");
dataField.setAttribute("type", "hidden");
dataField.setAttribute("name", name);
dataField.setAttribute("value", score);
form.appendChild(dataField);
document.body.appendChild(form);
form.submit();
PHP:
switch($_SERVER['REQUEST_METHOD']){
case 'GET': $the_request = &$_GET; echo "GTFO!";
case 'POST': $the_request = &$_POST; writeToFile($_POST['name'], $_POST['value']);
echo ("Saved: " . $_POST['name'] . " - " . $_POST['value']);
}
Although the server recognizes the request, it can't get any of the parameters. Why is that? Thanks.
EDIT 2: Sorry for the dumb edit. I've figured it out by creating two separate form fields, one for name and the other for score. In the PHP code, I just retrieve the "name" and "score" parameters.
