6

I have used this html5 Snake game on my website , but problem is that it can be hacked so easily .

http://cssdeck.com/labs/classic-snake-game-with-html5-canvas

Hackers can inject scores and submit their own scores.

Is there anyway to protect score variable inside the script not to be injected by clients ?

AstroCB
  • 12,337
  • 20
  • 57
  • 73
Mac Taylor
  • 5,020
  • 14
  • 50
  • 73

1 Answers1

7

Not as long as the game is implemented entirely on the client side. The "solution" is to implement the game rules and storage on the server side, and have the client be mostly UI, but this might be overkill for such a simple browser game.

You could make it harder by obfuscating the code, but that would only stop people who don't actually care.

If the game is deterministic you could keep a log of all game "events" and send that to the server, where the score would be calculated. This would make it more work to fake a score, but it would still be possible to fake, and it would also be a lot of work to build such a system.

Jason S
  • 13,538
  • 2
  • 37
  • 42
  • 1
    Thanks, so no way to immune this game from being hacked. I heard about private variables , isn't it useful here ? http://stackoverflow.com/questions/3194632/ways-to-make-javascript-code-hacking-injection-manipulation-difficult – Mac Taylor Jul 30 '14 at 03:35
  • Hm. The approach there would prevent someone from casually changing variables "live" in the javascript console. It would do nothing to prevent them from submitting whatever score to the server though. And they could get around it in various ways like just substituting an edited script file. I would put that in the same category as obfuscation - it makes it harder but only stops people who don't actually care. Not a bad idea though as it also helps prevent global namespace collisions. – Jason S Jul 30 '14 at 03:43
  • And what about using console.log() to save all moves and at the end before saving the score check the log and if the log is equal to score then it is true. Can anyone also inject to console log ? – Mac Taylor Jul 30 '14 at 05:06