NYCPHP Meetup

NYPHP.org

[nycphp-talk] Tamperproof URLs and PHP slides posted

Rob Marscher rmarscher at beaffinitive.com
Thu Dec 13 23:05:47 EST 2007


I wrote a couple flash client / php server casino games.  I didn't  
actually do the flash client part (takes me forever to produce nice  
looking stuff with that app) but I did come up with the api.  It used  
a token and timestamps that were hashed with a secret key - pretty  
similar to the way that Amazon's api works.  The only way I came up  
with to really prevent cheating was to keep all of the game logic on  
the server and use the client to send user actions and display the  
response.  So for a blackjack game, for example, the client would say  
start a new game - which would give it a new token - then the server  
would deal the cards and tell the client which cards it was dealt, the  
client would tell the server if it was hitting, staying, splitting,  
doubling, etc. and then the server would tell the client if it won or  
not.

Sort of a side note here... but I also had a client once ask if we  
could serve a video in a flash player and make it not possible for  
anyone to download it.  I told them we would have to embed the video  
in the flash player timeline (which makes it not look as good), we  
would have to encrypt the whole thing somehow and obfuscate the key to  
unencrypt it (perhaps it could be timestamp based and requested from  
the server which would send back a current key to use and verify the  
client was authorized to have it).  After going through all that  
trouble and spending a ton of money, a really good hacker could still  
crack it and even worse... any screen capture program could easily  
save the video as another file.  That was my long way of saying... it  
can't be done.




More information about the talk mailing list