Posts Tagged ‘php’

Simple Score Submission Security

Sunday, December 2nd, 2007


If you’ve made a Flash game with a PHP high score table without any security before, you’ve probably found some unpossible scores sitting on top of your chart when you wake up one morning. Well, in this tutorial, we’ll see how to implement a simple encryption system that is relatively secure for Actionscript 3.0. It’s not perfectly secure, but it will fend off your usual score cheater. This tutorial also assumes that you know the basics of implementing a high score system in Flash and PHP. If you don’t, please check out this tutorial.

The basic concept of this method is to use MD5 to hash the submission data with a key. Then we send the data, along with the MD5 hash to the PHP script. The PHP script takes the data, and hashes it with the same key. If the two hashes match, then we know it’s legit.

First, let’s go over what to do on the Flash side of things. We will need an encryption API capable of MD5 for AS3, such as this encryption package by Geoffrey Williams. There are others which can be found by Googling, but this one is pretty simple to use.

Suppose we want to submit the player’s name and score, we construct a string of those values:

var playerData:String = playerName + playerScore;

Then we use the MD5 package to hash it with a key, which is a secret string that we make up. Assuming we are using the package shown above, the code would look something like this:

var key:String = "HASH_KEY";
var hashData:String = MD5.hex_hmac_md5(key, playerData);

After we have this, we just send both the playerData and hashData to our PHP score submission script using a POST method.

Over on the PHP script, we take the playerData, and run it through MD5 with the same secret key that we used in Flash. If the result matches the hashData that we received from Flash, then it’s a valid score submission. The operative PHP functions here are bin2hex and mhash.

$key = "HASH_KEY";
$result = bin2hex(mhash(MHASH_MD5, $playerData, $key));
if ($result == $hashData)
    //record submission

Thats all there is to this encryption method. You’ve probably noticed, but the one flaw to this method is that if the hacker has access to the Flash source, then he can find out the secret key and beat the system. Fortunately, as far as I know, there are no public AS3 decompilers yet. Should one appear, we’d have to use obfuscation to hide the key or use some sort of SWF encryption program such as Amayeta. Nonetheless this method should keep most casual cheaters off your back.