Encrypt $_GET variables?

You could store their current position, and then compare that to the new position (on the new URL), and make sure that it is a valid move that they can make.

 

I did figure out a way to do it withoiut using GET; instead I added three new colums to the maps table, and summoned the right map using the zone number from the characters table. Nowhere near as flexible, but much more secure.

 

I have a different oppinion on the security through obscurity thing. I think it can work to keep out the "children" cheaters. You know, the ones that really don't know anything, but know the little tricks that almost everyone knows.

If I change a query string from ?username=Frank and encode it to something similar to:

?3wewfho3234we=2l4645dsaa3sadf

And say my encode / decode functions are of course exactly the same, and proper checks are done on the php page IE

if ($username == "frank")
{

}
elseif ($username == "bob")
{

}

If the user changes the query strings value from 2l4645dsaa3sadf to even something remotely close like 2l4645dsbb3sadf it will be a way off to what the script is looking for. Yes, I know this would not keep out the pro's, but it would be enough to get rid of a few that could do damage otherwise.

Think, if this is a number and the number ends up being 8 characters long encoded and it must match something else in a query lets say, they would have a need in a haystack chance of finding that.