I'm creating a game site and when a player has finished playing the game, I want the site to update the score to a database. Now my only problem is, the player can easily cheat their score by using javascript methods/code in the browser. How can I do this?
Asked
Active
Viewed 138 times
0
-
then you should sanitise it before putting it into the database... – A. L Feb 27 '17 at 06:08
-
Store the game scores in PHP variables as soon as the game ends. Whatever is stored in javascript can be neglected. – Vishnu Y S Feb 27 '17 at 06:09
-
5Possible duplicate of [Prevent Javascript games tweaking/hacking](http://stackoverflow.com/questions/6320996/prevent-javascript-games-tweaking-hacking) – mickmackusa Feb 27 '17 at 06:11
1 Answers
0
The player can easily cheat their score by using javascript methods/code in the browser.
Obfuscation: If your goal is to prevent it from happening easily, you can obfuscate your JavaScript code. Edit: After reading @mickmackusa's link, IIFE's are a quick way to achieve what you're looking for.
Signatures: If your goal is to prevent it from happening ever, you should consider using a verifiable signature or hash. The more JS-heavy the app, the harder this can get. For example, if the signature is generated client-side via pure JavaScript, your code would still leak everything an attacker would need to fake the signature. The accepted design is to move the private components server-side where they can be protected.
Obfuscation is quite effective so as long as the burden of deobfuscating is far greater greater than the rewards (or risks) associated with an attacker figuring it out.
-
All I need to make sure is that the score sent to the database is the correct score – blendy Feb 27 '17 at 06:41
-
Minimizing the way the problem sounds does not affect the end-solution. If you need to guarantee the the authenticity, use a verifiable unalterable method. If you want to filter out 99% of hackers make the code so confusing that even you can't understand after studying it how it's sent to the back-end. – tresf Feb 27 '17 at 06:48
-
Assuming the problem happens mostly when people are on a scoreboard asked for their name, you may also choose to use a unique ID for each score in the database and then have the final screen which asks for the name to simply modify that record. This still isn't foolproof and I would recommend you store some form of timestamp on session so that someone doesn't wipe your database clean. It's still a poor design though. If you want it secured, you'll need to use a secure, trusted method of data signing. – tresf Feb 27 '17 at 06:54