How do I make a post using libcurl from a game written in c++ to a php page on my server more secure?

I wrote a game in c++ using SDL. The game currently updates a highscore to my game site by making a post with curl if the user has logged in. The problem that I am having is that the post provides the url to the php file that receives the post on my server, and the variables that the post uses. Last night someone from china figured this out and created 5 accounts and then posted ridiculously high highscores to those users. Is there any way I can make this more secure?

Would ssl work? I've been reading about ssl all morning开发者_JS百科, and I got curl to verify that ssl is installed, but I honestly dont even know where to start with getting my php verification page communicating with my game using ssl. I'd really hate to take the whole hiscore feature down because I've already invested so much time into all of this.

At this point I am looking for the simplest solution to prevent someone from making a form and posting new hiscores to the php page.

Any help would be greatly appreciated.

You could add a small layer of security by passing not only the high score, but a hashed version that is validated on the PHP side. e.g.

{hs:"2000";hash:'843ed7842a6bd864162022e48b84a668'}

Posted to your PHP script, that then checks,

if($hash==md5('secret'.$hs)){
    //UPDATE HighScore
}else{
   //Discard, flag spammer
}

The quickest solution would be to keep an eye on the high score list, delete impossible-looking scores, and blacklist known cheaters.

However, for a longer-term solution, could you possibly send a list of the players' timestamped "physical input" (mouse clicks, key presses, etc.) along with the high score?

The server could then perform some logic using the input (perhaps even running that input through a game client running on the server) to determine whether the high score is valid.

If your game uses random numbers, you'd have to send the initial random seed as well.

Once you manage to implement this, you could fairly easily create a replay system, too, which would allow players to share replays of their games with each other.

You can add salt to data, and only app on c++ knows it, and server
Or you can`t?

SSL itself won't be enough to stop people from posting high scores. There are a couple approaches I can think of to begin with:

1. Ship your code with a secret key that is used to encrypt the high score before sending it to the server. This has the downside that someone could reverse engineer your game to get the key. This is probably okay though, if you don't think someone would go through the trouble. Crypto++ is a C++ encryption library that you could use for this. You probably want to use symmetric-key encryption.
2. What I think some other games do is to use some aspect of the game along with just the raw high score value to make a submitted score invalid if it didn't contain the game state.