Implementing a PHP function using "Construct" engine

I’m building a game using Construct 3 Engine and netlify has proven a great website to deploy my games and quickly check them.

I’ve never used PHP (except building a site like… 10+ years ago I think) and I rely on Construct’s visual programming.
That said - I do have an idea about programming and a bit of HTML/JS knowledge.

Here is my game’s current version:

I’d like the players to be able to send me some game-related data to give me a better idea about their behaviour. I found this tutorial: How to Create Files In Server, Save Data And Load into Arrays

TLDR: It relies on very simple PHP files to write data on a json file and import from there.

Here is the import.php:


    $id = $_POST['id'];

    $myfile = fopen("$id.json", "w") or die("Unable to open file!");

    $text = $_POST['my_data'];

    fwrite($myfile, $text);



And export.php

	header('Access-Control-Allow-Origin: *');
$id = $_POST['id'];
	    include "$id.json";		


From what I understand, real-time php functions don’t work, but netlify have in-built functions to basically simulate certain behaviour… and forms are part of this?

I have no idea how to handle this and I’d very much appreciate if anyone can help.
I don’t mind if you give me a fish, but best would be if you teach me/forward me to a source where I can learn how to fish. I found a few questions and samples but they were too abstract for me to properly understand.

Finally: Are there any security concerns? Should I take any measures for my app’s or users’ security?

Kind regards,

PHP is not supported on Netlify. The Netlify Functions that you’re talking about are written in JavaScript or Go.

If you can migrate this PHP functionality to JS, you’re good to go. Since I don’t know PHP, I’m not very sure what your code is doing, however from this text:

I am assuming you’re using it to generate JSONs.

In Nelify Functions you can do something like:

exports.handler = async () => {
  return {
    statusCode: 200,
    body: JSON.stringify('foo')

And you can call this Function in your client-side JS like:

fetch(/.netlify/functins/functionName).then(response => response.json()).then(data => /*parse data here*/).catch(error => console.log(error));

As you can see, you can’t really return files with Functions, you can return JSON data and you’d have to use the data to manipulate your client-side code according to your wish.

The security concern is that, anyone can spam this function as it’s very easy to get its URL. Once someone gets it, they can run it over and over, thus exhausting your Netlify plan or something else depending on what exactly you do inside that function.


Thank you! I’ll try to get a grasp of the code you provided.

For the security part: What would be a good way to prevent this?
I mean, I don’t think anyone will really bully me at this point, but I’d appreciate having an idea for the future.

I wish there was one, I myself am looking :joy: and have actually tried many ways only to find out it’s not possible. It’s one of the problems with client-side code, anyone desperate enough can find out what’s happening on their device and manipulate it.

With that being said, you can indeed make it difficult for someone to exploit it. You can check for stuff like:

exports.handler = async event => {
  if (process.env.URL.includes( {
    return {
      statusCode: 200,
      body: JSON.stringify('foo')
  } else {
    return {
      statusCode: 403,
      body: JSON.stringify('forbidden')

This will check if the function was called by your domain and only then pass the actual data. If not, the invoker of the function would see a 403 error.

Note that, this will still cause the function to be invoked and thus, would count towards billing, however it’s a small measure you can take to make it a little difficult for someone to be able to run the function themselves.

1 Like