Lets Make A Game - Part 2



On Day 8, we made Number Guessing Game in PHP. If you have problem understanding Day 8 script, don't worry, it is slightly complicated script, you will understand it better as we keep improving the script.

Lets start with previous lesson code.

day_8_ex_2.php

PHP Code:
<html>
<body>

<h1>Number Guessing Game.</h1>

<?php

if (isset($_GET['secretNumber'])) {
    $secretNumber $_GET['secretNumber'];
} else {
    $secretNumber rand(1,10);
}

if (isset($_GET['userNumber'])) {
    $userNumber $_GET['userNumber'];

    if ($secretNumber $userNumber) {
        echo '<h1 style="color:red">Your number is too SMALL.</h1>';
    } else if ($secretNumber $userNumber) {
        echo '<h1 style="color:blue">Your number is too BIG.</h1>';
    } else {
        echo '<h1 style="color:green">You win the game.</h1>';
    }
}

?>

<form method="GET" action="">
    Enter Number: <input name="userNumber" type="text">
    <button type="submit">Check</button>
    <input type="hidden" name="secretNumber" value="<?php echo $secretNumber?>">
</form>

<h2>How to Play:</h2>

<pre>
* Server will pick a secret number between 1 and 10.
* You guess what number it is.
* If your guess is too high or too low, Server will give you a hint.
* See how many turns it takes you to win!
</pre>

</body>
</html>
The script have some flaws. As you can see in the picture below, our secret number is not secret.



In this case, secretNumber is passed using GET method to server.

Code:
day_8_ex_2.php?userNumber=5&secretNumber=2
Anyone looking at the URL can see what the secretNumber server have generated using rand() function and enter that number and WIN (or cheat) the game.

What we can do to stop the secretNumber showing up in the URL ?

Welcome to POST Method.

Web servers support POST and GET methods.

GET methods generally used for small data and when you need to allow users to use browser back/forward button. Data passed using GET method is limited. Most search engines use GET method, because that allow you to use back/forward feature in browser, for example

Code:
https://www.google.com/search?q=become+php+expert+in+30+days
Who Use POST Method and Why

Most banks use POST method for login page, if not anyone will be able to see your password and user name by looking at address bar of your browser.

Any FORM page that send large data or sensitive data (for example password, credit card number, etc..) must use POST method.

$_POST Associative Array in PHP

Like $_GET array in PHP, you can use $_POST array to read data send to server with POST method.

To change a FORM page to use POST method, replace GET with POST

In our example script.

Find

Code:
<form method="GET" action="">
Replace With

Code:
<form method="POST" action="">

Lets Update Our Game To Use Post Method

Its easy, Find all GET and replace it with POST.

day_9_ex_1.php


PHP Code:
<html>
<body>

<h1>Number Guessing Game.</h1>

<?php

if (isset($_POST['secretNumber'])) {
    $secretNumber $_POST['secretNumber'];
} else {
    $secretNumber rand(1,100);
}

if (isset($_POST['userNumber'])) {
    $userNumber $_POST['userNumber'];

    if ($secretNumber $userNumber) {
        echo '<h1 style="color:red">Your number is too SMALL.</h1>';
    } else if ($secretNumber $userNumber) {
        echo '<h1 style="color:blue">Your number is too BIG.</h1>';
    } else {
        echo '<h1 style="color:green">You win the game.</h1>';
    }
}

?>

<form method="POST" action="">
    Enter Number: <input name="userNumber" type="text">
    <button type="submit">Check</button>
    <input type="hidden" name="secretNumber" value="<?php echo $secretNumber?>">
</form>

<h2>How to Play:</h2>

<pre>
* Server will pick a secret number between 1 and 100.
* You guess what number it is.
* If your guess is too high or too low, Server will give you a hint.
* See how many turns it takes you to win!
</pre>

</body>
</html>
Upload the script to your web site and run

Code:
http://YOUR-SITE/day_9_ex_1.php
When you submit the form, no data is passed through URL, so you can't just look at URL and find the secret number.

Still there is one more way to CHEAT in this game, looking at source code of your HTML page and finding value of hidden field with name secretNumber. We will fix it on Day 10.