Thanks Nick, I'll take some measures to obfuscate the "secret", but I just realized I have another potential hole. There is nothing to prevent someone from actually getting a high score, then replaying the request to get all of the top positions. I suppose the solution is to have the server create a random string, save it on the server, send it to the client, and use the token as anonther element of the checksum. Then once the score is saved, the token is deleted from the server. I think that will work, but now I am starting to feel sorry for the next guy that has to figure out what the hell the my code is doing. :)
Cheers, John Campbell _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
