This plugin will allow you to encrypt data with RSA algorythm in an Ajax request (client side) and decrypt in PHP (server side).
IMPORTANT: Unfortunately, this plugin does not provide a foolproof method against hacks
ONLINE DEMONSTRATION
How to use it ?
Downloads
Here are 3 downloads necessary to use AJAXRSA with Construct 2 :
RSA Keys Generator
Download and dezip the folder.
Execute the «index.exe».
(size: 18 Mo)
Execute the «index.exe».
(size: 18 Mo)
Plugin Construct 2
Download, dezip and put the folder called «ajaxrsa».
in the Construct 2 Plugin folder.
(size: 10 Ko)
in the Construct 2 Plugin folder.
(size: 10 Ko)
PHP Library and Demo
Download and dezip the folder.
You will obtain 2 folders et 1 example script.
(size: 143 Ko)
You will obtain 2 folders et 1 example script.
(size: 143 Ko)
RSA Keys
In first, you will need two keys : Public Key and Private Key
Launch the RSA Keys Generator (search an executable called «index.exe»).
You get this :
Launch the RSA Keys Generator (search an executable called «index.exe»).
You get this :
Construct 2 Plugin
Make sure your folder «ajaxrsa» is present in the Construct 2 Plugins folder.
C:/Program Files/Construct 2/exporters/html5/plugins/ajaxrsa/
C:/Program Files/Construct 2/exporters/html5/plugins/ajaxrsa/
Launch Construct 2, create a new project, add new object : AJAX-RSA.
Now, open your Event Sheet to add the following Events/Actions :
PHP Library & Demo
On server side, make sure your folders «Crypt» and «Math» are in the same folder.
Below, the demo script to process the data server side:
Below, the demo script to process the data server side:
// Use it for local preview (localhost:50000)
// See : https://www.scirra.com/manual/107/ajax
//header('Access-Control-Allow-Origin: * ');
ini_set("display_errors", 0);
session_start(); // Need session to store Token
require_once('Crypt/RSA.php'); // Math folders must be the same level as the folder Crypt
// IMPORTANT : Keep the complete syntax and the jump lines for Private Key
define("KEY_PRIVATE", "-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAMrXPEVu4LxhOUvV2mreOoHIchPlJYgvRdpqkBd6t2sD7SM02DqP
n89eSj+oqG1ZR+l7Yj1SMCZMrav6257UivMCAwEAAQJAHHwerKl7dI46sO72iJdt
+UJ1iAcKlECp5e2dD+Rd1EXYNfIH26AyprDRXNTRoTYidiVaUH1Z8NxifWagf36j
gQIhAOKOTxjSwgDIWQxoMxw2AL8AAGF3g4uWXgRZKp4f9QghAiEA5TPn1H/j7AQW
NTW7WmM6PjV/Xdl0YI4y2OUTdw2E4JMCIQCvYFJCeQPM70pfnFnUQMmbETk6OfYO
nDvzScL/3OUlgQIgZop6RU+SIJ0Tcmq/jwilnf9BJDONJUV46iBSPQkHUZECIAnE
byHHtgYokdOrheh+O1FWUtq5q/xq28TR+tHUFa1i
-----END RSA PRIVATE KEY-----");
// Function to decrypt data
function decrypt($data) {
$rsa = new Crypt_RSA();
$rsa->setEncryptionMode(CRYPT_RSA_ENCRYPTION_PKCS1);
$rsa->loadKey(KEY_PRIVATE, CRYPT_RSA_PRIVATE_FORMAT_PKCS1);
$s = new Math_BigInteger($data, 16);
return $rsa->decrypt($s->toBytes());
}
$arr_data = array(); // Array where we will store our data
// Check if the Ajax Request come from the game folder
// example : http://www.domain.com/folderGame/ or http://www.domain.com/folderGame/index.html
if(isset($_SERVER['HTTP_REFERER'])
&& ($_SERVER['HTTP_REFERER']=="http://www.payondev.fr/projet/ajaxrsa/demonstration/"
|| $_SERVER['HTTP_REFERER']=="http://www.payondev.fr/projet/ajaxrsa/demonstration/index.html"))
{
// If "Post to URL"
if(isset($HTTP_POST_VARS[d])) $data = $HTTP_POST_VARS[d];
// If "Request URL"
if(isset($HTTP_GET_VARS[d])) $data = $HTTP_GET_VARS[d];
if(trim($data, " \t\n\r")!="")
{
// Decrypt Data
$decrypted_data = utf8_decode(decrypt($data));
parse_str($decrypted_data, $arr_data);
// Check if there is a data called "token"
if(isset($arr_data['token']) && trim($arr_data['token'], " \t\n\r")!="")
{
// Check if token exist (get key if exist)
if( ($k = array_search($arr_data['token'], $_SESSION['token'])) !== FALSE )
{
// Remove current token (expired or not)
unset($_SESSION['token'][$k]);
$expiration = explode("_", $arr_data['token']);
$delayToken = time() - $expiration[1];
if($delayToken<=2)
{
// *******************************************************************
// ************************ YOUR CODE HERE ***************************
// *******************************************************************
// EX : www.domain.com/index.php?player=Vincent&score=150&token=123abc...
// $arr_data["player"] = "Vincent";
// $arr_data["score"] = "150";
// $arr_data["token"] = "123abc...";
foreach($arr_data as $key => $value) echo $key .": ". $value." ";
}else{ echo "Error : Token Expired"; }
}else{ echo "Error : Invalid Token"; }
}else{ echo "Error : Token missing"; }
}else{
// If no data in URL, generate Token and return it
$token = md5(rand(1000, 999999));
echo $_SESSION['token'][] = $token."_".time();
}
}else{ echo "Error : It's not a call from the game"; }
Of course, the use of Tokens (either side Construct 2 or PHP) is not mandatory but recommended for browser games.
No comments:
Post a Comment