0

I made a fully JS game and I'd like to calculate a score and have the player insert it into the database with a nickname, so I can make a top high score ladder.

The problem is, can't they enter any number as their score, if they modify the script? Or if they simply access my PHP script and send some POST variables into it? Note that they will be validated as numbers/nickname, but can't they send ANY number they want? How can I prevent that?

George Irimiciuc
  • 4,573
  • 8
  • 44
  • 88
  • 1
    Since the code runs outside your control, you can't actually prevent this. You can make it *slightly* harder (make some sort of checksum etc), but essentially, client-side scripting is unfixably insecure. – Piskvor left the building Jul 15 '14 at 10:02
  • You can make it harder using other technologies like flash but at the end, they can pass anything they want! – undone Jul 15 '14 at 10:03
  • @undone: The used technology doesn't matter. In the end, it boils down to some data being sent down the wire, with no useful way to verify that it's actually the data produced by your program (you can filter out the obvious attempts, but that will only leave you with subtler ones). – Piskvor left the building Jul 15 '14 at 10:04
  • Depending on the game, you can do certain sanity checks on it. For instance, if you know what the maximum possible score is for a given amount of play time, you can measure when the game started to the score's submission and see if it makes sense. Also depending on the game, you could send a "replay" of the game (ie. the user's input) and reproduce the game on the server using the same input to see if you get the same result. However, this is entirely dependent on the type of game, there's no simple solution. – Niet the Dark Absol Jul 15 '14 at 10:06

0 Answers0