I'm new to this forum. It's great! (Well, so far I've mostly "used" the Showcase forum to find amuzing games to play:))
So here I have a problem, I would like your input on.
A web server with PHP and a mysql database is used to collect player scores. Whenever a player has completed a game/level, the score is submitted to the server.
Somewhat needy players are able to decompile the game and see what and how data is sent. Ie. http://blah.blah?
score=123&player=JohnDoe. The players are then able to setup their own script that submits a score on a regular basis.
The attempted solution:
Add some checksum, ie. in the client do a MD5(score + "secret passphrase" + playername) and submit that as well: http://blah.blah?
- but that obviously just makes it slightly more difficult. One could make a "crazy checksum" with variables spread across all of the client, but it just takes a slightly more determined "hacker" to figure it out.
I've previously read suggestions like "do a replay of the game on the server, ie. submit all user actions" but that's also quite easy to figure out for a determined person.
So, how do you do it? Is it possible to achieve "good enough" security by using an obfuscator in Java? Switching to HTTPS is not a solution, as far as I can tell.
Any input would be greatly appreciated. I imagine it MUST be possible to avoid the decompilation somehow in Java. In Flash at least, the conclusion to this problem is sad: http://stackoverflow.com/questions/73947/what-is-the-best-way-to-stop-people-hacking-the-php-based-highscore-table-of-a-f
I hope for some good suggestions!
Best regards and thanks in advance,