Securely pass information to PHP via AJAX?

Question

I'm designing a simple MMORPG using HTML5 canvas, JS, and PHP via AJAX. I've got a simple demo working where a user can log in, and is taken to a page where they can choose a world from a dropdown.

However, I now face a security issue: I need to be able to tell PHP via JS which world to change to, but I don't want the user to be able to change this themselves.

I have a dropdown of worlds available to the user, but don't want them to be able to change to any world they feel like via very simple client-side hacking. ie: Changing the tag's value via Chrome's right-click -> inspect element.

I know the solution would be to make everything server-side, but then how do I pass (from JS to PHP) which world the user has selected to change to?

(Apologies if this was poorly written, and many thanks in advanced)

Answer 1

You simply have to check the value the user gives on the server against a list which worlds are allow for that specific user.

$allowed = array('Christoph' => array('world1', 'world2'), 'saricDen' => array('world1', 'world2', 'world3'));
if(in_array($_POST['world'], $allowed[$currentUser]))
    echo 'data for $_POST['world']';
else echo 'no data';

when a user requests a world he's not allowed to join he doesn't get the worlds data.

To post the selected data via ajax: add a onsubmit="sendAjaxRequest();" to the form in which you send the data via ajax to php. Once the request succeeds and tells you if he's allowed to join or not: continue .. or not.

Answer 2

You could generate a special hash for each world key and use that. Another option is to a hash of all the other values and validate against that.

There is no guarantee that it still couldn't be hacked.