How to pass immutable data through two webpages that can't be user-generated

I have a flash application (a game) and it needs to pass data to a php page to save the user, and the user's score. However I don't want the user to be able to alter the score him开发者_如何转开发/herself or to initial a scoring without using the application.

What is the best way to do this?

If the client (i.e. flash) is keeping track of/generating the score, there is no secure way for you to send the score to the server. Whatever the swf file can do, an attacker can also imitate.

The only secure way is to send each user move or action to the server. The server is responsible for the state of the game and maintaining the score; the client just generates the moves.

With such an approach, an attacker cannot manipulate the score. He can still bypass your SWF file, but to get a high score he still has to make the right moves. The attacker can make a bot to make the moves intelligently; to avoid that you can only use security by obscurity.

Implement a md5-hash function and hash the score and the username.

Then load a PHP-file from Flash with score, username and md5-hash as GET-parameters. The PHP-file checks the data by hashing the values again.

Since Flash runs in the browser it can be recompiled so you cannot be 100% sure. If you want to get sure completely you have to validate each step the user does with the server.

You have two services. One service is the game service. The other service is the scoring service. You need to set up some kind of authentication around your scoring service. Your game service then needs some set of credentials to access this authentication.

One approach would be to surround your score service with https and require an https token to access it. Your game service could then have that token hard coded into the server-side code of the game itself.