Java-Gaming.org    
Featured games (81)
games approved by the League of Dukes
Games in Showcase (487)
Games in Android Showcase (112)
games submitted by our members
Games in WIP (553)
games currently in development
News: Read the Java Gaming Resources, or peek at the official Java tutorials
 
    Home     Help   Search   Login   Register   
Pages: [1] 2
  ignore  |  Print  
  online Highscore  (Read 8708 times)
0 Members and 1 Guest are viewing this topic.
Offline h3ckboy

JGO Coder


Medals: 5



« Posted 2009-01-30 21:27:58 »

hey I am developing a game and I would like to know how to put the highscore online. I am not sure what to best method to do this is so I am jus tgoing to leave my question broad.
Offline nuvi

Innocent Bystander





« Reply #1 - Posted 2009-01-30 23:40:01 »

I just registered for this forum in order to ask precisely that question.  I made a Java Applet and I would like to save the high scores and associated names on the web server.  Please help.
Offline erikd

JGO Ninja


Medals: 16
Projects: 4
Exp: 14 years


Maximumisness


« Reply #2 - Posted 2009-01-31 01:23:01 »

Here is a nice tutorial:
http://woogley.net/misc/Highscore/

Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline h3ckboy

JGO Coder


Medals: 5



« Reply #3 - Posted 2009-01-31 08:56:16 »

I was having dificulty with PHP so I tried just editing a text file. I am able to read the file and get the info. but how do I write back into it.
Offline Markus_Persson

JGO Wizard


Medals: 14
Projects: 19


Mojang Specifications


« Reply #4 - Posted 2009-02-01 12:35:08 »

Here is a nice tutorial:
http://woogley.net/misc/Highscore/

Err.. that tutorial seems to indicate that you should both include the name and password for the mysql user in the game client AND send it over unencrypted network. That is very very stupid, do not do that.
Additionally, a naive highscore implementation like that WILL get "hacked" in a matter of days. You'll get people with scores of 9999999999 and names like "hax0rman".
Unfortunately, verifying that a highscore is legit is not an easy problem to solve.

Play Minecraft!
Offline Xyle
« Reply #5 - Posted 2009-02-04 04:26:24 »

Just saw the topic,

I used php and mysql to implement a high score board. Its takes a bit to code but its well worth it. Php is actually very easy to understand, just follow some online tutorials on it and you can pick it up in no time. As for Mysql, the best tutorial I found was at http://www.developer.com/java/data/article.php/3417381
Where they describe Mysql, how to download it, install it along with the j connector and get java working with it.

As for hacking the scoreboard, for my site, you must be a member to view the board and play the game, so if it gets hacked, at least youll know who did it, hehehehe.

Life is just a game, learn to play!
------------------------------------------
╬-YellzBellz Games!-╬ Cheesy
Offline Eli Delventhal

JGO Kernel


Medals: 42
Projects: 11
Exp: 10 years


Game Engineer


« Reply #6 - Posted 2009-02-04 08:12:41 »

You can always put JDBC in your game and then just have the scores sent that way. Similarly you can (as people have mentioned) open up a website from your Java game that is a PHP page, and pass it scores and username with some sort of encryption. I would recommend doing the former if you don't mind having JDBC in your package.

See my work:
OTC Software
Offline cylab

JGO Ninja


Medals: 43



« Reply #7 - Posted 2009-02-04 08:33:47 »

The problem with JDBC is, that it could be difficult to find a public server that exposes the database ports to the net. Also not using http will cause problems for people behind a proxy. Writing a simple php (or jsp if available) seems the best option to me.

Mathias - I Know What [you] Did Last Summer!
Offline Markus_Persson

JGO Wizard


Medals: 14
Projects: 19


Mojang Specifications


« Reply #8 - Posted 2009-02-04 09:36:12 »

You can always put JDBC in your game and then just have the scores sent that way.

No. Do not do this. This is even worse than what I warned against before.

Not only do you have to reveal the user name and password for the database user, you also have to expose the database to the public internet. Do not ever ever do this!

Additionally, no amount of encryption will help
  • . If the client is capable of doing something, the end user is capable of finding out how the client did it, since he has the client files on his computer.
[* Encrypting data traffic will help somewhat against people doing simple network snooping, but it's still The Wrong Way to Go]

Play Minecraft!
Offline kevglass

JGO Kernel


Medals: 159
Projects: 23
Exp: 18 years


Coder, Trainee Pixel Artist, Game Reviewer


« Reply #9 - Posted 2009-02-04 09:50:10 »

Quote
No. Do not do this. This is even worse than what I warned against before.

To re-emphasise, don't do it! Ever! I have actually been destroyed rather painfully for making this mistake. The layer of php acts as a reasonable limitation of what can/can't be done from the game.

A good way to validate scores is "record" the game activitiy - what was shot and when, what actions were taken - and then validate that the actions given would result in a score somewhere near the score submitted. It's a bit of a chore, but goods "pretty good" protection. If a hacker can be bothered to simulate a game to get the high score then they probably deserve the top score Smiley

Another nice touch I saw someone do is to, when a fraud has been detected, record the user's remote IP. When they access the scoreboard again show them a score board that appears to have been hacked with their score present. This seems to convince the typical script kiddie that they've succeeded and they toddle off never to bother you again. The real score board of course remains intact and everyone else see only valid scores Smiley

Kev

Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline h3ckboy

JGO Coder


Medals: 5



« Reply #10 - Posted 2009-02-04 12:17:24 »

I would do a PHP but I dont got admin privelages Sad I may try to make a servlet is this a good idea. I would have to get wervlet JDK is this easy?
Offline kevglass

JGO Kernel


Medals: 159
Projects: 23
Exp: 18 years


Coder, Trainee Pixel Artist, Game Reviewer


« Reply #11 - Posted 2009-02-04 12:45:24 »

You shouldn't need admin privs to just use PHP.

You proabably would to run Tomcat to host your servlet if they're not already running it.

Kev

Offline h3ckboy

JGO Coder


Medals: 5



« Reply #12 - Posted 2009-02-04 12:53:17 »

dont I need to install PHP?
Offline cylab

JGO Ninja


Medals: 43



« Reply #13 - Posted 2009-02-04 16:12:48 »

Where are you hosted? Web hosters usually provide a php server along with the webspace they sell. Normally you have a subdir in your home where you can place your php-files. If you have a directory where you place your html-files, just try to create a "helloworld.php" with the following content in there:

1  
2  
3  
4  
5  
6  
7  
8  
<html>
  <body>
    <?php
       echo "Hello World";
       phpinfo();
    ?>
  </body>
</html>


and open it like you would open a html-page in the bowser.

Mathias - I Know What [you] Did Last Summer!
Offline h3ckboy

JGO Coder


Medals: 5



« Reply #14 - Posted 2009-02-04 17:24:04 »

I tried that and it ddnt work. my provider is sites.google. It is free so it is probably bad Sad

do I make that a fiel ro do i jsut put that into the webpage?
Offline erikd

JGO Ninja


Medals: 16
Projects: 4
Exp: 14 years


Maximumisness


« Reply #15 - Posted 2009-02-04 18:46:11 »

Err.. that tutorial seems to indicate that you should both include the name and password for the mysql user in the game client AND send it over unencrypted network. That is very very stupid, do not do that.
Additionally, a naive highscore implementation like that WILL get "hacked" in a matter of days. You'll get people with scores of 9999999999 and names like "hax0rman".
Unfortunately, verifying that a highscore is legit is not an easy problem to solve.

Ahem, yes I didn't notice that  persecutioncomplex
I was writing a long post about it and then just before posting I saw this tutorial which seemed to explain the same thing... But yes absolutely, sending your database username/password over the net is a bad idea.

Anyway, the tutorial still explains the basic idea, just hardcode the MySQL username/password in the PHP script so you don't have to send it from your java client.
It's still not secure, but at least you won't open up the complete MySQL server on the net.
If that works, you can start securing your highscores.

Offline Eli Delventhal

JGO Kernel


Medals: 42
Projects: 11
Exp: 10 years


Game Engineer


« Reply #16 - Posted 2009-02-04 18:58:11 »

If you keep your PHP config file outside of your public_html folder and then include it from a php file within the public_html folder, it becomes much more difficult for people to hack to it and see what it contains.

See my work:
OTC Software
Offline erikd

JGO Ninja


Medals: 16
Projects: 4
Exp: 14 years


Maximumisness


« Reply #17 - Posted 2009-02-04 19:41:02 »

If you keep your PHP config file outside of your public_html folder and then include it from a php file within the public_html folder, it becomes much more difficult for people to hack to it and see what it contains.

Excuse my ignorance, but is it possible to get the contents of a PHP script from outside the server then?

Offline kevglass

JGO Kernel


Medals: 159
Projects: 23
Exp: 18 years


Coder, Trainee Pixel Artist, Game Reviewer


« Reply #18 - Posted 2009-02-04 19:44:03 »

Shouldn't be if your web server is configured correctly.

Kev

Offline CaptainJester

JGO Knight


Medals: 12
Projects: 2
Exp: 14 years


Make it work; make it better.


« Reply #19 - Posted 2009-02-04 20:05:15 »

www.freehostia.com

They provide free PHP hosting with 1 MySql database.  They also have the mime types properly configured to host webstartable apps.

Offline Renoria

Junior Member




...


« Reply #20 - Posted 2009-02-05 08:11:27 »

you should have an encrypted packet that sends to the server then the server will validate it and add it to the table or else it doesn't. Never put the mysql pass/user in the client because then they can access your SQL server, and you'll have to also portforward 3306.

Best way IMO is to send a score gain packet everytime they gain a score then send an end of game packet to add it to the highscore.
Offline h3ckboy

JGO Coder


Medals: 5



« Reply #21 - Posted 2009-02-05 08:21:20 »

I am at school right now. I will check it out as soon as I get home. thx
Offline Eli Delventhal

JGO Kernel


Medals: 42
Projects: 11
Exp: 10 years


Game Engineer


« Reply #22 - Posted 2009-02-05 22:19:19 »

Just so I can get another emboldened reply of what not to do from Markus:

What you really should do is have an applet save to a text file with all the high scores. Then you don't have to worry about SQL or anything! Yay!
 Grin


See my work:
OTC Software
Offline Xyle
« Reply #23 - Posted 2009-02-06 02:24:36 »

In that case you would have to use a signed applet?

or

The applet tells the server side program the highscore, the server side program writes to a text file, database entry, etc. <-- what I'm doing.

Life is just a game, learn to play!
------------------------------------------
╬-YellzBellz Games!-╬ Cheesy
Online CommanderKeith
« Reply #24 - Posted 2009-02-06 03:16:17 »

Hi, this is really interesting. I'm trying to learn a bit about php.

I've got a question: can you put passwords in your php file which is in a public folder in your web directory? I mean, can't anyone just access your password then? Or does the php server program pre-process the php file so that it never sends your php code, but just the html code that the php script generates? I'd really like to know the answer to this, let me know if i haven't described the problem properly. Thanks Smiley


PS
 This is funny, from the php tutorial here: http://www.w3schools.com/php/php_intro.asp:
Quote
What is PHP?

    * PHP stands for PHP: Hypertext Preprocessor

How does that make PHP, where does the first P come from?!?!?

Offline woogley
« Reply #25 - Posted 2009-02-06 03:23:09 »


I've got a question: can you put passwords in your php file which is in a public folder in your web directory? I mean, can't anyone just access your password then? Or does the php server program pre-process the php file so that it never sends your php code, but just the html code that the php script generates?

The PHP interpreter pre-processes everything between <?php ... ?>, so those commands are hidden. Anything outside of those tags will be visible.

1  
2  
3  
4  
5  
6  
7  
8  
9  
<?php
function bla() {
// none of this code is visible
}
?>
This is visible!
<?php
// but this isn't
?>


Of course, there are some cases where data outside of the PHP tags is displayed based on a condition, like:

1  
2  
3  
4  
5  
6  
<?php
if (someCondition) { ?>
You'd only see this if someCondition is true
<?php
}
?>

Online CommanderKeith
« Reply #26 - Posted 2009-02-06 03:32:12 »

Thanks heaps woogley, that makes sense now.

By the way, your tutorial rocks  Cool

Offline woogley
« Reply #27 - Posted 2009-02-06 03:37:29 »

By the way, your tutorial rocks  Cool

Thanks.. I hope you find it helpful. But also heed what was said above.. you wouldn't want to send the name/score unencrypted like that. The tutorial is meant to show the basic structure you can use to record scores, but you should also look into obfuscating the data sent from the client.
Online CommanderKeith
« Reply #28 - Posted 2009-02-06 03:53:33 »

OK, so is the bottom line that there's no need to put the database name or password in the client? So maybe if you were to modify the tutorial, the database name and password would only be stored in the php script, and rather than having the client submitting a score by sending this URL string to the server (which includes the password):

http://yoursite.com/highscore.php?action=submit&admin_user=foo&admin_pass=bar&name=Bob&score=100&access_code=1234

it might be better to send something like this:

http://yoursite.com/highscore.php?action=submit&name=Bob&score=100&access_code=1234

So that the client does not have the password and database name. And then (somehow?!?!) you should check the score in the php script to stop someone from sending bogus scores or spamming the database with lots of scores...

Offline woogley
« Reply #29 - Posted 2009-02-06 04:15:25 »


Yea, I really don't know why that script even has you specify a username/password. Probably to keep script configuration to a minumum. These days I wouldn't even think about doing that in production.

BeetleMania submit a score like: http://url/submit?x=30237afc49038&y=3498573489573moregarbledjunk

obfuscated, but crackable.

Pages: [1] 2
  ignore  |  Print  
 
 
You cannot reply to this message, because it is very, very old.

 

Add your game by posting it in the WIP section,
or publish it in Showcase.

The first screenshot will be displayed as a thumbnail.

TehJavaDev (16 views)
2014-08-28 18:26:30

CopyableCougar4 (25 views)
2014-08-22 19:31:30

atombrot (38 views)
2014-08-19 09:29:53

Tekkerue (35 views)
2014-08-16 06:45:27

Tekkerue (32 views)
2014-08-16 06:22:17

Tekkerue (20 views)
2014-08-16 06:20:21

Tekkerue (32 views)
2014-08-16 06:12:11

Rayexar (66 views)
2014-08-11 02:49:23

BurntPizza (44 views)
2014-08-09 21:09:32

BurntPizza (35 views)
2014-08-08 02:01:56
List of Learning Resources
by Longor1996
2014-08-16 10:40:00

List of Learning Resources
by SilverTiger
2014-08-05 19:33:27

Resources for WIP games
by CogWheelz
2014-08-01 16:20:17

Resources for WIP games
by CogWheelz
2014-08-01 16:19:50

List of Learning Resources
by SilverTiger
2014-07-31 16:29:50

List of Learning Resources
by SilverTiger
2014-07-31 16:26:06

List of Learning Resources
by SilverTiger
2014-07-31 11:54:12

HotSpot Options
by dleskov
2014-07-08 01:59:08
java-gaming.org is not responsible for the content posted by its members, including references to external websites, and other references that may or may not have a relation with our primarily gaming and game production oriented community. inquiries and complaints can be sent via email to the info‑account of the company managing the website of java‑gaming.org
Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines | Managed by Enhanced Four Valid XHTML 1.0! Valid CSS!