Talking about Php, Tutorials and WordPress.
This is the second part of Understanding MochiAds Publisher Bridge.
In the first step I showed you how to configure a cross-domain policy file, calling the javascript and send the results to a webpage.
Now it’s time to prevent cheating.
As you can see, it’s very easy to send some POST variables to a webpage, and it’s even easier to do it when you know the name of such webpage… and in our case you can know it simply looking at the html.
If you look at the html of the page containing Mazeroll, it’s clear the name of the page I send the POST array to is postscores.php
.
So we have to prevent cheating.
That’s why in your MochiAds publisher settings page you’ll find a secret key that can be used to authenticate the score data sent from the Bridge to your server.
In your POST variables you can find one called signature
.
This is an MD5 hash of the POST vars + your secret key. So the MD5 hash of the POST vars + your secret key and the signature must match.
In order to use this for authentication, you have to follow these steps:
- Populate an array of all parameter names as keys and their values
- Remove out the signature parameter
- Sort the array alphabetically by the key name
- Turn the array into a url encoded string
- Append your secret key
- Compute the MD5 hash with the string
- compare your MD5 hash with the signature parameter sent by the Bridge
So I prepared this little script that does the job:
$varvalue){
// if the key is not "signature" then append key and url encoded values to the string
if($varname!="signature"){
$string.=$varname."=".rawurlencode($varvalue)."&";
}
}
// removing the last character (a "&"")
$string = substr($string,0,strlen($string)-1);
// appeding the secret key to the string
$string.= $key;
// comparing the md5 encryption of the string with the "signature" variable
if(md5($string)==$_POST[signature]){
// it's a valid submission!
}
?>
Now you can check for valid submissions, next time I’ll show you what to do with them
Never miss an update! Subscribe, and I will bother you by email only when a new game or full source code comes out.