PHP - making sure $_REQUEST is what I set it.

[jamesmorris86]

Hey guys,

I am using request to pass a variable to my code that I need to update my database. Its for a game, you click on the character to attack them.

<a href="?attackverify=yes&username={$row['username']}">

But at the moment anyone is free to simply change the url and enter a different username to attack someone else.

Is there any way to verify that the user hasn't tampered with the code? or maybe a different approach I cant think of?

 

[jamesmorris86]

It does use sessions, but that link is actually to attack another player. It uses a foreach to display all the logged in users so the $row['username'] wont match the session thats created when they log in.

I'm thinking maybe I can atleast encrypt and decrypt the request data to make it slightly more secure.

 

[jamesmorris86]

I can change it from username to their I.d.

Posting the request sounds interesting. I know how to send post using a form but have never used it in this way before.

Is it possible to use <a href... to send data using post?

 

[jamesmorris86]

Currently there are checks to make sure that the attacker/other players are not unconscious and there's also a time stamp check in place to stop attack flooding.

Thats about as far as I have got. I'm going to try the JavaScript post method when I get home which will hopefully resolve my original issue