Stopping URL abuse

[Damond]

I have been working on a new mod for my game, the first I have ever coded completely on my own, and it seems I have left a huge opening for abuse. Lucky for me I have only opened up a small part of the system to a few selected beta testers and they have been checking different ways to try and get around my security and pointed out any flaws. This one how ever I'm not exactly sure how to fix, so I turn to the MWG community once again for a solution.

Here is a small snippet of the coding in question.

 

<?php
// clicking this link adds +1 to north and sets capture row to 1
// Runs a random to determine if anything is found and how many. Can not exceed 50
if ($minions['north_south']>=50){
	echo'<center><img src="images/north.png"></center>';
} else {
	echo '<center><a href="minion_hunt2.php?step=north"><img src="images/north.png"></a></center>';
}
// If something is found this is printed
$result = "You moved north and found: $amt2 $type!";
$convert = "<a href='minion_hunt2.php?step=capture&amt=$amt2&type=$type' class='button'>Capture Them?</a>";
// clicking the above link runs another random to determine success or failure in the capturing of minions.
// sets capture to 0 so page can not be refreshed.
?>

 

So the problem is all a user needs to do is click a direction and it sets capture to 1. Even if I changed it to set only if they actually find something my existing problem would still be there. If the users clicks a direction then changes the URL to say:

?step=capture&amt=10000&type=dwarves

They can decide how many they found and of what type and nothing in my coding is stopping them. How can I stop this? I can't release this system with that hole there would be too many people spreading this URL cheat around.

[Magictallguy]

Add it into the SESSIONDATA before it hits the URL, then check that session on the next action. If the SESSIONDATA matches, then chances are it's invalid.

 

<?php
// include globals.php or whatever
// show some h3 title or whatever
if(array_key_exists('minion', $_SESSION) && is_array($_SESSION['minion'])) {
   if($_SESSION['minion']['step'] == $_GET['step'] || $_SESSION['minion']['amt'] == $_GET['amt'] || $_SESSION['minion']['type'] == $_GET['type']) {
     echo 'No';
     exit($h->endpage());
  }
  unset($_SESSION['minion']);
}
// Do processing code
$_SESSION['minion'] = [
  'step' => 'capture',
  'amt' => $amt2,
  'type' => $type
];
//Output..
$h->endpage();

 

NOTE: This has not been tested

Edited September 17, 2015 by Magictallguy
Minor optimization

[Coly010]

You must be using $_GET[] to set your type and amount which is never a good idea, if you can't post the data then do as MagicTallGuy said , store the data in sessions. It's not completely fool proof though I don't think.

[~Rob0t]

You must be using $_GET[] to set your type and amount which is never a good idea, if you can't post the data then do as MagicTallGuy said , store the data in sessions. It's not completely fool proof though I don't think.

Edit your post and remove "post the data". It doesn't increase the logic security any further at all. Sessions are foolproof (implying the fool is the client and not the developer) as the client holds a reference to the session file that is stored on the server - unless of course you're referencing to session poisoning, but then you have a bigger problem than just catching minions.

Just reiterate what Magictallguy said.

Also, enhance the UI and put this GIF up when they press "Capture Them?"

Edited September 17, 2015 by ~Rob0t