Impact

This forum is read only and just serves as an archive. If you have any questions, please post them on github.com/phoboslab/impact

1 decade ago by smj93

I have found a problem within the code, after baking the game you can open the javascript file in console and ctrl+f the find the php file name. This then allows to see what data is being posted from the game to the php file making it easy for hackers to then post there own scores using the php file... Anybody know a way to stop this?

1 decade ago by stillen

You could always crypto.js the score on the client side then decode it on the server side. It would also be good not to name the web service or parameters something that is easily human read to avoid some hackers.

1 decade ago by TigerJ

Well, this is an issue you are going to combat for a while especially since the game is running clientside (unless you are using node or some similar server side code)

even if you obscure the url, someone could use a tool like fiddler to spoof the message to your server. I had a very similar situation about a year ago and there are a lot of great posts and suggestions should you want to read further about the issue:

http://www.reddit.com/r/gamedev/comments/zs54g/injection_after_posting_on_gamedev/

The first set of attacks I experienced were injecting html into the scores and also causing the leaderboards to redirect users to bobby tables (LOL)

after I started cleaning the strings on the php, sql and JavaScript side most of these injections were failing (good).

People still could spoof their scores and sometimes stilll do. I talked to some more successful developers with large commercial games and they even have issues with the apple gamecenter submissions being spoofed.

It turns out this is pretty "normal" people will find ways to cheat. Rather than obsess i just offer a varied range of scores (this month, this year, today) and impossibles.

You could spend a lot of time trying to protect the leaderboard by logging values and encrypting some messaging two and from the server. running server side calculations with node.js or something... but I just decided to go the cheap route and focus more on making games than securing a leaderboard.

Good luck with your game and however you decide to combat the cheaters.
Page 1 of 1
« first « previous next › last »