online Highscore

[h3ckboy]

hey I am developing a game and I would like to know how to put the highscore online. I am not sure what to best method to do this is so I am jus tgoing to leave my question broad.

[nuvi]

I just registered for this forum in order to ask precisely that question.  I made a Java Applet and I would like to save the high scores and associated names on the web server.  Please help.

[erikd]

Here is a nice tutorial:
http://woogley.net/misc/Highscore/

Games published by our own members! Check 'em out!

[h3ckboy]

I was having dificulty with PHP so I tried just editing a text file. I am able to read the file and get the info. but how do I write back into it.

[Markus_Persson]

Here is a nice tutorial:
http://woogley.net/misc/Highscore/

Err.. that tutorial seems to indicate that you should both include the name and password for the mysql user in the game client AND send it over unencrypted network. That is very very stupid, do not do that.
Additionally, a naive highscore implementation like that WILL get "hacked" in a matter of days. You'll get people with scores of 9999999999 and names like "hax0rman".
Unfortunately, verifying that a highscore is legit is not an easy problem to solve.

[Xyle]

Just saw the topic,

I used php and mysql to implement a high score board. Its takes a bit to code but its well worth it. Php is actually very easy to understand, just follow some online tutorials on it and you can pick it up in no time. As for Mysql, the best tutorial I found was at http://www.developer.com/java/data/article.php/3417381
Where they describe Mysql, how to download it, install it along with the j connector and get java working with it.

As for hacking the scoreboard, for my site, you must be a member to view the board and play the game, so if it gets hacked, at least youll know who did it, hehehehe.

[Eli Delventhal]

You can always put JDBC in your game and then just have the scores sent that way. Similarly you can (as people have mentioned) open up a website from your Java game that is a PHP page, and pass it scores and username with some sort of encryption. I would recommend doing the former if you don't mind having JDBC in your package.

[cylab]

The problem with JDBC is, that it could be difficult to find a public server that exposes the database ports to the net. Also not using http will cause problems for people behind a proxy. Writing a simple php (or jsp if available) seems the best option to me.

[Markus_Persson]

You can always put JDBC in your game and then just have the scores sent that way.

No. Do not do this. This is even worse than what I warned against before.

Not only do you have to reveal the user name and password for the database user, you also have to expose the database to the public internet. Do not ever ever do this!

Additionally, no amount of encryption will help

• . If the client is capable of doing something, the end user is capable of finding out how the client did it, since he has the client files on his computer.

[* Encrypting data traffic will help somewhat against people doing simple network snooping, but it's still The Wrong Way to Go]

[kevglass]

No. Do not do this. This is even worse than what I warned against before.

To re-emphasise, don't do it! Ever! I have actually been destroyed rather painfully for making this mistake. The layer of php acts as a reasonable limitation of what can/can't be done from the game.

A good way to validate scores is "record" the game activitiy - what was shot and when, what actions were taken - and then validate that the actions given would result in a score somewhere near the score submitted. It's a bit of a chore, but goods "pretty good" protection. If a hacker can be bothered to simulate a game to get the high score then they probably deserve the top score

Another nice touch I saw someone do is to, when a fraud has been detected, record the user's remote IP. When they access the scoreboard again show them a score board that appears to have been hacked with their score present. This seems to convince the typical script kiddie that they've succeeded and they toddle off never to bother you again. The real score board of course remains intact and everyone else see only valid scores

Kev

Games published by our own members! Check 'em out!

[h3ckboy]

I would do a PHP but I dont got admin privelages I may try to make a servlet is this a good idea. I would have to get wervlet JDK is this easy?

[kevglass]

You shouldn't need admin privs to just use PHP.

You proabably would to run Tomcat to host your servlet if they're not already running it.

Kev

[h3ckboy]

dont I need to install PHP?

[cylab]

Where are you hosted? Web hosters usually provide a php server along with the webspace they sell. Normally you have a subdir in your home where you can place your php-files. If you have a directory where you place your html-files, just try to create a "helloworld.php" with the following content in there:

1   2   3   4   5   6   7   8

<html>   <body>     <?php        echo "Hello World";        phpinfo();     ?>   </body> </html>

and open it like you would open a html-page in the bowser.

[h3ckboy]

I tried that and it ddnt work. my provider is sites.google. It is free so it is probably bad

do I make that a fiel ro do i jsut put that into the webpage?

[erikd]

Err.. that tutorial seems to indicate that you should both include the name and password for the mysql user in the game client AND send it over unencrypted network. That is very very stupid, do not do that.
Additionally, a naive highscore implementation like that WILL get "hacked" in a matter of days. You'll get people with scores of 9999999999 and names like "hax0rman".
Unfortunately, verifying that a highscore is legit is not an easy problem to solve.

Ahem, yes I didn't notice that 
I was writing a long post about it and then just before posting I saw this tutorial which seemed to explain the same thing... But yes absolutely, sending your database username/password over the net is a bad idea.

Anyway, the tutorial still explains the basic idea, just hardcode the MySQL username/password in the PHP script so you don't have to send it from your java client.
It's still not secure, but at least you won't open up the complete MySQL server on the net.
If that works, you can start securing your highscores.

[Eli Delventhal]

If you keep your PHP config file outside of your public_html folder and then include it from a php file within the public_html folder, it becomes much more difficult for people to hack to it and see what it contains.

[erikd]

If you keep your PHP config file outside of your public_html folder and then include it from a php file within the public_html folder, it becomes much more difficult for people to hack to it and see what it contains.

Excuse my ignorance, but is it possible to get the contents of a PHP script from outside the server then?

[kevglass]

Shouldn't be if your web server is configured correctly.

Kev

[CaptainJester]

www.freehostia.com

They provide free PHP hosting with 1 MySql database.  They also have the mime types properly configured to host webstartable apps.

[Renoria]

you should have an encrypted packet that sends to the server then the server will validate it and add it to the table or else it doesn't. Never put the mysql pass/user in the client because then they can access your SQL server, and you'll have to also portforward 3306.

Best way IMO is to send a score gain packet everytime they gain a score then send an end of game packet to add it to the highscore.

[h3ckboy]

I am at school right now. I will check it out as soon as I get home. thx

[Eli Delventhal]

Just so I can get another emboldened reply of what not to do from Markus:

What you really should do is have an applet save to a text file with all the high scores. Then you don't have to worry about SQL or anything! Yay!
 

[Xyle]

In that case you would have to use a signed applet?

or

The applet tells the server side program the highscore, the server side program writes to a text file, database entry, etc. <-- what I'm doing.

[CommanderKeith]

Hi, this is really interesting. I'm trying to learn a bit about php.

I've got a question: can you put passwords in your php file which is in a public folder in your web directory? I mean, can't anyone just access your password then? Or does the php server program pre-process the php file so that it never sends your php code, but just the html code that the php script generates? I'd really like to know the answer to this, let me know if i haven't described the problem properly. Thanks


PS
 This is funny, from the php tutorial here: http://www.w3schools.com/php/php_intro.asp:

What is PHP?

    * PHP stands for PHP: Hypertext Preprocessor

How does that make PHP, where does the first P come from?!?!?

[woogley]

I've got a question: can you put passwords in your php file which is in a public folder in your web directory? I mean, can't anyone just access your password then? Or does the php server program pre-process the php file so that it never sends your php code, but just the html code that the php script generates?

The PHP interpreter pre-processes everything between <?php ... ?>, so those commands are hidden. Anything outside of those tags will be visible.

1   2   3   4   5   6   7   8   9

<?php function bla() { // none of this code is visible } ?> This is visible! <?php // but this isn't ?>

Of course, there are some cases where data outside of the PHP tags is displayed based on a condition, like:

1   2   3   4   5   6

<?php if (someCondition) { ?> You'd only see this if someCondition is true <?php } ?>

[CommanderKeith]

Thanks heaps woogley, that makes sense now.

By the way, your tutorial rocks 

[woogley]

By the way, your tutorial rocks 

Thanks.. I hope you find it helpful. But also heed what was said above.. you wouldn't want to send the name/score unencrypted like that. The tutorial is meant to show the basic structure you can use to record scores, but you should also look into obfuscating the data sent from the client.

[CommanderKeith]

OK, so is the bottom line that there's no need to put the database name or password in the client? So maybe if you were to modify the tutorial, the database name and password would only be stored in the php script, and rather than having the client submitting a score by sending this URL string to the server (which includes the password):

http://yoursite.com/highscore.php?action=submit&admin_user=foo&admin_pass=bar&name=Bob&score=100&access_code=1234

it might be better to send something like this:

http://yoursite.com/highscore.php?action=submit&name=Bob&score=100&access_code=1234

So that the client does not have the password and database name. And then (somehow?!?!) you should check the score in the php script to stop someone from sending bogus scores or spamming the database with lots of scores...

[woogley]

it might be better to send something like this:
http://yoursite.com/highscore.php?action=submit&name=Bob&score=100&access_code=1234

Yea, I really don't know why that script even has you specify a username/password. Probably to keep script configuration to a minumum. These days I wouldn't even think about doing that in production.

BeetleMania submit a score like: http://url/submit?x=30237afc49038&y=3498573489573moregarbledjunk

obfuscated, but crackable.