That’s for sure, yes. But that can also be done in different ways. I mean without giving, it’s like putting the key to one’s house under a flower pot and imagining never being burglarized.
The score can be increase not explicitly in the ajax queries, but calculate in the PHP file according to various factors. It must be the PHP that processes things, and transmit the minimum via ajax. We must send references via ajax and not explicit values that everyone can understand.
For example one can very well send JSON which is encrypted via ajax then in PHP decrypt and recover all the data to save them in the BDD. In addition I would never send data by GET (? Score = 100). I only use POST in ajax.
I do not say that my method is the only one that exists. I’m just giving a reponse to the question originally asked. If you pass values as explicit with Javascript, yes you have a big concern for security, it is directly to give the key of his houses to a thief.
This can be done in smarter ways. In any case, the author of the subject seems to have found his answer. So it’s good.