In an attempt to construct a highscore system, I am using 39Dll to access PHP scripts on my server who will then connect to a SQL database to handle information requests and retrievals. My PHP scripts handle the database connection, obviously, so there is no sensitive data stored on the client side. However, my question concerns the security risks involved and how to approach solving them. Obviously retrieving data is not the issue, it is the submission of data. This information can easily be discovered by a packet sniffer and the PHP script can be easily abused. Thus encrypting the data is necessary.
My idea is this:
1) The server could produce the private and public key for this particular session, sending the public key to user application.
2) The user's application will encrypt all the necessary data in a particular format before sending it to the server, using the session's public key.
3) After the data is sent the server could handle the decryption process, adding the information to the database.
What are your thoughts on this? I'm well aware this is not the best implementation, so please provide your thoughts and suggestions.
Edited by whgoss, 12 June 2011 - 05:53 PM.