Understanding MochiAds Publisher Bridge – Part 2

August 17, 2009 by Emanuele Feronato
Filed Under Php, Tutorials, WordPress5 Comments 

This is the second part of Understanding MochiAds Publisher Bridge.

In the first step I showed you how to configure a cross-domain policy file, calling the javascript and send the results to a webpage.

Now it’s time to prevent cheating.

As you can see, it’s very easy to send some POST variables to a webpage, and it’s even easier to do it when you know the name of such webpage… and in our case you can know it simply looking at the html.

If you look at the html of the page containing Mazeroll, it’s clear the name of the page I send the POST array to is postscores.php.

So we have to prevent cheating.

That’s why in your MochiAds publisher settings page you’ll find a secret key that can be used to authenticate the score data sent from the Bridge to your server.

In your POST variables you can find one called signature.

This is an MD5 hash of the POST vars + your secret key. So the MD5 hash of the POST vars + your secret key and the signature must match.

In order to use this for authentication, you have to follow these steps:

  1. Populate an array of all parameter names as keys and their values
  2. Remove out the signature parameter
  3. Sort the array alphabetically by the key name
  4. Turn the array into a url encoded string
  5. Append your secret key
  6. Compute the MD5 hash with the string
  7. compare your MD5 hash with the signature parameter sent by the Bridge

So I prepared this little script that does the job:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

<?php
 
// your secret key
$key="xxxxxxxxxxxxxxxxxxxxxxxxxx";
 
// initializing an empty string - not strictly necessary
$string = "";
 
// ordering the associative POST array by keys
ksort($_POST);
 
// loop scanning through all POST array
foreach($_POST as $varname => $varvalue){
     // if the key is not "signature" then append key and url encoded values to the string
     if($varname!="signature"){
          $string.=$varname."=".rawurlencode($varvalue)."&";
     }
}
 
// removing the last character (a "&"")
$string = substr($string,0,strlen($string)-1);
 
// appeding the secret key to the string
$string.= $key;
 
// comparing the md5 encryption of the string with the "signature" variable
if(md5($string)==$_POST[signature]){
     // it's a valid submission!
}
 
?>

Now you can check for valid submissions, next time I’ll show you what to do with them

Rate this post: 1 Star2 Stars3 Stars4 Stars5 Stars (7 votes, average: 4.29 out of 5)
Loading ... Loading ...
If you found this post useful, please consider a small donation.
» WordPress themes are designs for WordPress - one of the most popular blogging software nowadays.
You will be pleasantly surprised by WordPress Themes provided by Template Monster. All of them are of professional design and high quality.

5 Responses to “Understanding MochiAds Publisher Bridge – Part 2”

  1. arxanas` on August 18th, 2009 3:37 am

    Wow, it’s been a while since you’ve published a PHP tutorial. Looking forward to more!

  2. SJG on August 19th, 2009 6:31 pm

    Moar plz noaw!

    :)

    I think I have become a fan for life… :)

  3. SJG on August 19th, 2009 6:31 pm

    At least I bug report and donate!!!

  4. Rafael Youakeem on November 3rd, 2009 8:50 pm

    Hello , ahh . . . i guess it is because of my stupidity but i cant figure out where to put this script on my site ,, should it be in the postscores.php or what ??

Leave a Reply




Trackbacks

  1. Understanding MochiAds Publisher Bridge – Part 3 : Emanuele Feronato on August 24th, 2009 6:34 pm

    [...] part 2 we saw how to prevent [...]

flash games company