-3

Well I am desiging an anti-cheat for the game combat arms. What i want to do is 'ping' the program with the database so that people cannot simply create a program that makes it seem as though they are using the anti-cheat.

Is there a way to 'encrypt' or stop other people simulating the connection easily? I am not great with PHP and this is how it adds it so far:

public function Update()
    {
        $ign = $_GET['ign'];
        $timestamp = $_GET['uid'];
        $time = time();

        if(($time - 10 < $timestamp) && ($time + 10 > $timestamp))
        {
            $this->connection();
            $data = mysql_query("SELECT * FROM users WHERE ign = '{$ign}'");
            if(mysql_num_rows($data) > 0)
            {
                mysql_query("UPDATE users SET lastonline = '{$time}' WHERE ign = '{$ign}'");
            }
            else
            {
                mysql_query("INSERT INTO users (id, ign, lastonline) VALUES ( NULL, '{$ign}', '{$time}' ) ");
            }

            echo "Connected to database";
        }
        else
        {
            echo "Problem connecting";
        }
    }

I need some sort of way to protect it/make it hard to crack quickly. And once cracked I can easily change, hope this has provided enough information!

Bojangles
  • 99,427
  • 50
  • 170
  • 208
Cacoon
  • 2,467
  • 6
  • 28
  • 61
  • 3
    Protecting games against fraud is a very complex undertaking. It's not as easy as inserting a couple lines here or there. – Pekka May 20 '13 at 13:25
  • 1
    See e.g. [What is the best way to stop people hacking the PHP-based highscore table of a Flash game](http://stackoverflow.com/questions/73947/what-is-the-best-way-to-stop-people-hacking-the-php-based-highscore-table-of-a-f) – Pekka May 20 '13 at 13:26
  • 2
    Also, what if my IGN is `x OR 1 == 1` and I get *everyone in the game banned*? – Amelia May 20 '13 at 13:27
  • 6
    Cheats are the least of your worries. How about protecting your data from SQL injections! – Bart May 20 '13 at 13:28
  • The game has terrible protection, we are making a third party program to improve that @Bart D: where is it vul? – Cacoon May 20 '13 at 13:34
  • @Cacoon: `$ign = $_GET['ign'];`. You're not even sanitizing. Later on, you're injecting that *raw* into a query. Do you expect people to play fair? – Sébastien Renauld May 20 '13 at 13:36
  • Is there any point? Really... I mean at the end of the day games are always being hacked. You can't stop people hacking them indefinitely because someone will always find a break in the code and exploit it. – Daniel Morgan May 20 '13 at 13:41

1 Answers1

1

Firstly, it's pretty much mandatory here that you sanitize your SQL input. I recommend using a prepare with PDO (ext/mysql is going on a journey far, far away).

$db = new PDO(<connection details>);
$prepare = $db->prepare("SELECT * FROM users WHERE ign = :ign");
// Tip: make sure you actually check the prepare worked before trying to execute.
$prepare->execute(array(":ign" => $ign));

And so on. Read the reference manual.

However if you are using mysql_* and refuse to change (though if you update PHP to 5.5 when it releases, you'll have E_DEPRECATED thrown), use mysql_real_escape_string and drop the quotes in the queries.

Next, onto actually handling the requests.

There's several ways to do this, but the most secure (and only option you should take) would be something cryptographically strong, such as a One Time Pad, or OAuth.

Generate credentials, and make the game send a token signed with a hash that is uniquely generated, perhaps from a product code. This should be unique for every installation and should generate hashes that are able to be validated by the script.

This is a problem that is constantly being researched by games companies, but it's often for naught; Your game can and will be reverse engineered by anyone who feels it's worthy of their time to do so. As will the Anti-Cheat.

Nevertheless, sign a request and include:
  • The player's in-game name
  • A very accurate timestamp which can be verified in some way.
  • Request signature (Cryptographically Secure)
  • Location Data (Useful for banning speedhackers, but be careful for false positives if someone teleports, etc)
  • Anything else required by the Anti-Cheat (You will likely have a specification for this)

Also, for the love of gaming, don't do a Punkbuster-style anti-cheat (aka don't ban on a request in a botnet-style fashion; it can be abused source )

Finally, I'd probably recommend getting a professional security researcher in to review everything.

Community
  • 1
  • 1
Amelia
  • 2,967
  • 2
  • 24
  • 39