-1

For example I have website where you can login and have points. You can earn points by playing a snake game that is created with p5.js, so every time you play the snake game you earn points depending on your score. So in my sketch.js I have a AddPoints function called every time you play and hit a wall or yourself in the snake game.

function AddPoints(p) {
    $.ajax({
            type : "POST",  //type of method
            url  : "./index.php",  //your page
            data : { pts : p.toString() },// passing the values
            success: function(res){  
                
                    }
        });
}

this function uses ajax to call POST on my index.php every time I finish the game.

<?php
  if(isset($_POST['pts'])) {
      $pts = $_POST['pts'];
      $query = "UPDATE user SET points=points+'$pts' WHERE username='$username'";
      mysqli_query($db, $query);
  }
?>

Now the problem that arises from this, is that players registered can just use Request Maker Google addon to make a post request and change the value of pts to earn free points. Any work around to this which allows me to add points to mysql database every time you earn points from the snake game with out hacking it and getting free points?

Kazem Abousetta
  • 33
  • 5
  • 1
    Hi, what do you mean by "use Request Maker Google addon"? – Abed Putra Jun 16 '21 at 23:55
  • 1
    I'm 99.99% sure the answer is no. Also, you don't need an extension to send requests, i don't know why you think someone would need the "Request Maker Google addon". – Samathingamajig Jun 16 '21 at 23:56
  • 2
    Anyone could do the same thing with `curl` or any other http client. – Bill Karwin Jun 16 '21 at 23:56
  • 1
    Your code is susceptible to SQL Injection, learn more here https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 – Samathingamajig Jun 16 '21 at 23:56
  • Or they could open up the dev tools and run `AddPoints` – Samathingamajig Jun 16 '21 at 23:57
  • I'm sorry, I dint mean it's the only option, but they could use something like that, so there is no work around to this? – Kazem Abousetta Jun 16 '21 at 23:58
  • Well you seem to have no authentication in your PHP script. You might like to start learning about that. Here's a Stack Overflow post about it: https://stackoverflow.com/questions/5507234/use-basic-authentication-with-jquery-and-ajax There's a lot to learn here if you want to write secure internet apps. – Bill Karwin Jun 17 '21 at 00:01

1 Answers1

2

A more secure way would be to mirror the point calculation logic on the server, and parse the user's keystrokes and the position of the snake. For example, you could send a websocket message every time there's a new game tick, and also send a message about the location of the food pellets so the server can fully replicate the state of the game. When the snake runs into a wall or itself, you'll be able to detect it both on the client and on the server. No $.ajax should be needed at all, if the client's snake direction and food pellet locations are sent to the server over the websocket.

Maybe use a random number generator library so that you can start with a seed on both the client and server. This'll let you determine the food pellet locations without any additional requests, and will let you detect those who might be trying to hack into the game by sending duplicate socket messages. (Have the seed sent to the client by the server.)

If your code is sufficiently long, another method would be to obfuscate the request payload so that it isn't clear from looking at the network tools what exactly the requests mean, allowing your server to detect and discard malformed or duplicate requests.

In general, when stuff is being done on the client-side, fully preventing botting in situations like these isn't possible, but you can take steps to mitigate it and make it a lot harder to be exploited.

CertainPerformance
  • 356,069
  • 52
  • 309
  • 320
  • "Maybe use a random number generator library so that you can start with a seed on both the client and server." At this point you don't really even need to run the game simultaneously on the server, you can send the sequence of moves at the end and re-run the game on upload, kind of like a proof-of-work. Tie the seeds [which are now nonces] to the userid, add a time limit for submission. Slather on some extra authentication and obfuscation for the client side and you've got a stew going. – Sammitch Jun 17 '21 at 00:07