How to prevent user from cheating and changing row

How to secure link and deny link edit?

Lets say i have 5X5 grid:

A1 A2 A3 A4 A5
B1 B2 B3 B4 B5
C1 C2 C3 C4 C6
D1 D2 D3 D4 D5
E1 E2 E3 E4 E5

Every row is clickable and if user click D3 it redirects user to ?location=D3 and D3 in grid is marked bold.

What i want to achieve is to allow user only move +1 row to any side from actual possition for D3 allowed would be:

C2 C3 C4
D2 D3 D4
E2 E3 E4

And if user change location in url to where it could not go really - redirect it to last location?

I have field last_location updated on every move on database.

The question is how to prevent user from cheating here?

Thanks in advance!

calculate which fields are valid and use them as a whitetlist for the next move.

1 Like

Yeah. … I figured out that i already have the way to do it! So dumb that i missed that :man_facepalming:

Alternatively, don’t let the user send you that data at all. Let them give you a number, 1-8, that defines their next move (or move attempt).
You already store the current location, so if they are at X…

5 1 7
2 X 4
6 3 8

Their new location is given by:

$output = array('x'=> intval(substr($dbresult['curpos'],1))-1, 'y' => ord(substr($dbresult['curpos'],0,1))-65);
$input = $input - 1; //Because we like working in zero-index terms...
if($input & 4) {
   //They went in a diagonal.
   $output['x'] += (($input & 2) - 0.5)/abs(($input & 2) - 0.5);
   $output['y'] += (($input & 1) - 0.5)/abs(($input & 1) - 0.5);
} else {
  //They went in an cardinal.
  $tomod = ($input & 1) ? "x" : "y";
  $output[$tomod] += (($input & 2) - 0.5)/abs(($input & 2) - 0.5);
$output = chr(min(max($output['y'],0),5)+65).(min(max($output['x'],0),5)+1);

(and you always thought your maths teacher was lying when they said you would be using it in the future…)


Hey, thanks for helpful answer! But for a bit i do not get this example. … It just looks much different to what i try to make?

@m_hutley Take a look at what i have
but here instead of location=D3 i use l=D&n=3

When you click on any of the fields you see sector witch should be only place user can click (ore entering in url bar)

@m_hutley As i already told to chron i have solution to it just need modify it! But i would check any other solution if it looks better!

Kinda seems like something you could solve easier on the front end…kinda easily.

Front end can be edited. …

Um… huh?

Maybe i get you wrong but user can change front end

How exactly. Tracking things like this seems like it would fall on the shoulders of front end.

Back end need to take care of data. …

1 Like

Correct but, if I read the requirements correctly, preventing a user choice happens on the client, client issue to deal with.

I know how to manage client side as long as server side


Data sanitization is a backend function - no client side measure can be relied upon to manage it.


Again, this isn’t a data sanitation issue.

THAT, is a front end issue, plain and simple.

Again, absolutely false. ‘plain and simple’.

Show me how you would prevent someone from cheating your form.

Keep in mind that i can type into my browser ‘yourbackend.php?userinput=Z77’.

I dont have time or frankly energy to type out a solution. I’d start looking into things like, oh idk, index, preventDefault, setAttribute. If it’s what the customer sees or interacts with, it’s front end.

I mean sure, knock yourself out with a backend solution, but this is 100% something your front end should be responsible for. You can tell me WRONG all you want, but again, according to the specifics,…

None of the things you have listed prevent me from sending ‘yourbackend.php?userinput=A1’ and suddenly moving from C3 to A1.

This is a data sanitization issue. According to the specifics.

It is the DEFINITION of data sanitization issues: How do I ensure that whatever the browser sends me is legitimate data?