High Score Security

  • dudeking
  • Student
  • Student
  • User avatar
  • Posts: 95
  • Loc: UK, Middlands

Post 3+ Months Ago

Okay I have written a few games using javascript, and for the high scores I have used ajax to send the score to a PHP page which stores the score in a database. I have got the security okay so the user has to be logged in, there is no way to alters scores for other users, but when you are logged in it is still possible to inject scores.

Code: [ Select ]
if($_GET['sessionID'] == $user->data['session_id'])
    {
        $score = $_GET['score'];
        $username = $user->data['username_clean'];
    
        if($username != 'anonymous')
        {
            $sql = "SELECT score FROM games_batball WHERE username = '$username' ORDER BY score DESC";
            $result = mysql_query($sql);
            $row = mysql_fetch_assoc($result);
            if($row['score'] < $score)
            {
                $sql = "INSERT INTO games_batball (username, score) VALUES ('$username', '$score')";
                $result = mysql_query($sql);
                $message = 'Your Score Was Added';
            }
            else
            {
                $message = 'Your older score of '.$row['score'].' was higher.';
            }
        }
    }
  1. if($_GET['sessionID'] == $user->data['session_id'])
  2.     {
  3.         $score = $_GET['score'];
  4.         $username = $user->data['username_clean'];
  5.     
  6.         if($username != 'anonymous')
  7.         {
  8.             $sql = "SELECT score FROM games_batball WHERE username = '$username' ORDER BY score DESC";
  9.             $result = mysql_query($sql);
  10.             $row = mysql_fetch_assoc($result);
  11.             if($row['score'] < $score)
  12.             {
  13.                 $sql = "INSERT INTO games_batball (username, score) VALUES ('$username', '$score')";
  14.                 $result = mysql_query($sql);
  15.                 $message = 'Your Score Was Added';
  16.             }
  17.             else
  18.             {
  19.                 $message = 'Your older score of '.$row['score'].' was higher.';
  20.             }
  21.         }
  22.     }


I use PHP to pass the session ID to the game and then when ajax sends the score it also sends the session ID which is used to insure the user is logged in and who they are. But they could potentially still alter the javascipt...

Code: [ Select ]
xmlhttp.open("GET", "score.php?score=" + score + "&sessionID=" + id, true);


and change the variable score to what ever they like, how can I secure this?


Thanks, Eddie
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13503
  • Loc: Florida

Post 3+ Months Ago

There is only one way to truly secure game scores. Don't perform any of the game logic in the browser. As long as the browser makes even one calculation used to determine the score, the score can be manipulated.

The browser can not tell the server anything, it can only ask the server what it should show to the player.
  • dudeking
  • Student
  • Student
  • User avatar
  • Posts: 95
  • Loc: UK, Middlands

Post 3+ Months Ago

Hummm... okay... I guess I'll just have to try and hide the files and the variables in the JavaScript to make it harder to work out.

Post Information

  • Total Posts in this topic: 3 posts
  • Users browsing this forum: No registered users and 76 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.