ID:160822
 
I think i've asked before but i can't remeber the answer.

say i have a webpage...
var/html={"
<body onLoad="send.Sumbit()">
<form name="send" action="http://mysite.com/score.php" method="post">
<input type="hidden" value="
[ckey]" name="ckey">
</form>
</body>
"}

src<<browse(html)
src<<browse(null)

would that work?


[edit]
...just thinking about about it byond can only GET right......
So how can i send a player a popup window?

That seems like it should work to me. However, be careful. The user can get that page from their cache, edit it so they have a higher score, then re-submit it - or write a script to spam-submit under a different ckey (MD5 may help you here).

...just thinking about about it byond can only GET right......
That's only true for world/Export (and possibly some other procs).
In response to Nickr5
Nickr5 wrote:
That seems like it should work to me. However, be careful. The user can get that page from their cache, edit it so they have a higher score, then re-submit it

thanks for the tip, You know anyways around that?

Nickr5 also wrote:
or write a script to spam-submit under a different ckey (MD5 may help you here).

had that under wraps already ;)

*
edit >_> this is hard...because what ever i print onto the website stays there and i can't delete the cache...
In response to Tubutas
You know anyways around that?
There's no way to delete something from their cache, or prevent it from getting there. The best way would be to create a hash of the player/score combo, then double check everything is valid from PHP.

var/html={"
<html>
<body onLoad="send.Sumbit()">
<form name="send" action="http://mysite.com/score.php" method="post">
<input type="hidden" value="
[ckey]" name="ckey">
<input type="hidden" value="
[score]" name="score">
<input type="hidden" value="
[md5("({{[ckey]|[score]}})")]" name="hash">
</form>
</body></html>
"}

src<<browse(html)
src<<browse(null)

Double check that the hash is what it should be for the corresponding ckey and score before adding it to your high score table (or whatever you're using this for).
In response to Nickr5
Duh, why didn't i think of that.... xD. Thanks.
In response to Nickr5
Of course, you should use a random salt to make the hash, as otherwise it's no help. Also, the best, most secure way would be to make your own computer (the game's server) contact the web server itself and have it only accept its address, since even a salted hash won't stop faking completely (a player with a high score can give his hash to others and they'll fake that score no problemo).
Tubutas wrote:
...just thinking about about it byond can only GET right......

Remember, that's [the] BYOND [server]. NOT [the client's] Internet Explorer.
In response to Kaioken
Good idea kao but.. im not gonna be hosting the game. (And theres gonna be solo play <_____< and im starting to think everyone on byond is a hacker >.<

-and if the ckey and score are hashed together they can only resend the same score under the same key =\(thats not real cheating). my php won't allow duplicates.
In response to Kaioken
Kaioken wrote:
Also, the best, most secure way would be to make your own computer (the game's server) contact the web server itself and have it only accept its address,
I thought of this, but how would you do it? Unless you're relying on the host being online and sending it via IE, it comes back to BYOND's limitation of GET only.


(a player with a high score can give his hash to others and they'll fake that score no problemo).
But you're putting both the key and the score into one hash, so the 'others' would have to send it under the first person's key, which kind of defeats the point of cheating.
In response to Nickr5
Why, I believe you can still ultimately send information.

But you're putting both the key and the score into one hash, so the 'others' would have to send it under the first person's key, which kind of defeats the point of cheating.

You need a salt anyway, though I didn't read the above, my bad. You'd still prefer to block that as well however, as a player could revert to an old score as he wishes (so he can cheat that he actually got a high score multiple times). That could also be a problem if you changed the scoring algorithm in an update, as a player may keep an old hash from before it, so he could also use it to get a high score that originally resulted in an unbalanced scoring algorithm or a now-fixed old scoring-related bug, etc.
In response to Kaioken
You could send the date and time or the algorithm version to the server and put it into the hash to prevent reusing them. Or, you could just change the salt.

As for it needing a salt, that's what the ({{ and }}) were for, but I suppose that's not a great way of protecting it. I assumed he knew enough to change the format and add in his own salt.
In response to Nickr5
Just another alternative that may work better if programmed properly on the PHP side.

Why not use link() and build the query string dynamically?

Then you could pass in the key, time, score, a generated game number etc.. to ensure that it is a valid highscore.

Once it's validated you could have the popup window show anything you want. Whether they got a highscore or not as well as a list of existing highscores and they'd never see the page refresh like they might if you use straight javascript.

Truthfully it doesn't matter whether you send the information via get or post as both are easily modified.

As for sending the player a popup window you'd do it the same way that you would if it was an internal page.

Now for clearing the cache so to speak. When you use browse you can specifiy a name for the file. I believe that if you send a new resource with the same filename it will be overwritten. To do this assuming you decided to use browse you would just set it to a particular name and the set it to a blank value afterwards without showing it to the player. That should do the trick but you'd have to test it as I haven't tried it myself.