More information about the Underscore mailing list

[_] Flash game - posting scores to a php scoreboard...

Steve Kirtley steve.kirtley at
Mon Dec 14 10:48:54 GMT 2009

Thanks Guys,

Great tips.

Have added encryption to the score in the AS - descrypting in the PHP.
Also added the timestamp as per your suggestion below Oliver - thanks.

So someone would have to go to the effort of disassembling the SWF to find
the challenge phrase etc...far from difficult but you'd have to really want

There's no major prizes - a small corporate giveaway... just have to be seen
to be trying to limit abuse.



On Mon, Dec 14, 2009 at 10:26 AM, Oliver Humpage <oliver at>wrote:

> On 14 Dec 2009, at 10:15, Spandex wrote:
> >> It's also worth encrypting the data you send - even though someone
> >> can
> >> get at your encryption key by decompiling the flash app, it'll put
> >> off
> >> the casual cheater.
> >
> > A very lightweight way to do this is to MD5 the score together with
> > some pre-arranged string the server and client agree on. Then send the
> > score plaintext along with the MD5 as "proof".
> As a general rule of thumb, include a timestamp in the checksum (and
> don't accept scores at the server end more than a couple of minutes
> old), otherwise you leave yourself open to replay attacks.
> Oliver.
> --
> underscore_ list info/archive ->