online Highscore

[CommanderKeith]

Cool thanks

[Orangy Tang]

So that the client does not have the password and database name. And then (somehow?!?!) you should check the score in the php script to stop someone from sending bogus scores or spamming the database with lots of scores...

Sending an encrypted version of the score, and/or a hash of the score (with salt!) will make it much harder for someone to fake a score submission by hand. And use POST instead of GET or you'll Break The Internet.

Of course this doesn't protect you from someone decompiling the client and jimmying the high score before it's sent, but it's better than nothing.

[Markus_Persson]

Sending an encrypted version of the score, and/or a hash of the score (with salt!) will make it much harder for someone to fake a score submission by hand. And use POST instead of GET or you'll Break The Internet.

Of course this doesn't protect you from someone decompiling the client and jimmying the high score before it's sent, but it's better than nothing.

It'd take me about three minutes to crack that.

Games published by our own members! Check 'em out!

[Orangy Tang]

It'd take me about three minutes to crack that.

I'm sure you would but it's better than just sending the score as plain text.

Frankly I'm of the opinion that unless you can actually send a deterministic replay to the server that it can replay everything is going to be easily circumvented by decompilation. The question whether you feel it worth your time to do it properly or whether you can get by with manual moderation.

[h3ckboy]

teh freehostia is not free!!!!! tisyas must pay $10 to get a domain name. is there another way? aso i tried the condition thing and even if I amde it false it still appeared

[cylab]

teh freehostia is not free!!!!! tisyas must pay $10 to get a domain name. is there another way? aso i tried the condition thing and even if I amde it false it still appeared

Please at least try to write in a readable manner. One simple reread would have made it. It is just easier for us (especially the non-english speakers) to gasp what you want. Also it's more likely to get sensible answers.

Quote from http://www.catb.org/~esr/faqs/smart-questions.html#writewell:

We've found by experience that people who are careless and sloppy writers are usually also careless and sloppy at thinking and coding (often enough to bet on, anyway). Answering questions for careless and sloppy thinkers is not rewarding; we'd rather spend our time elsewhere.

This quote might be a preconception, but if you had actually tried to sign in Freehostias "Chocolate" package, you would have found out, that you can use a subdomain under freehostia.org for free.

[Markus_Persson]

Frankly I'm of the opinion that unless you can actually send a deterministic replay to the server that it can replay everything is going to be easily circumvented by decompilation.

Agreed, in practice.

In theory, there are others even more secure solutions.
For example, you could make the client just a video player, then run the ENTIRE GAME on the server, sending the rendered video of the game screen to the client, and sending back inputs to the server.
There are of course less silly variants derived from this thing, including the possibility of having clients verify each other. (While a client is playing, have it re-play a pending highscore entry. If more than, say, 50 clients with different IPs all end up claiming the same score for that entry, allow it.)

[erikd]

Even replays can be faked.

I guess whether or not highscores are faked all depends on how bad people actually want to cheat. Announcing that cheaters are banned might help with that too.
Or writing a bad game 

Personally I never had problems with fake high scores (at least not that I'm aware of  ), and I didn't have much security in the high score posting but did have quite a lot of visitors.

[Hansdampf]

Even replays can be faked.

I guess whether or not highscores are faked all depends on how bad people actually want to cheat. Announcing that cheaters are banned might help with that too.
Or writing a bad game 

Personally I never had problems with fake high scores (at least not that I'm aware of  ), and I didn't have much security in the high score posting but did have quite a lot of visitors.

Just wantet to play cosmictrip.
You seem to have a problem with a turkish hacker:
http://www.gagaplay.com/cosmictrip/index.html

edit: seems to be a 'script granny' who hacked more than 200.000 sites.

[erikd]

Just wantet to play cosmictrip.
You seem to have a problem with a turkish hacker:
http://www.gagaplay.com/cosmictrip/index.html

edit: seems to be a 'script granny' who hacked more than 200.000 sites.

Yes, I know...
It wasn't hacked through my highscore saving though (apparently it was hacked through another site running on the same server, running Joomla)

I haven't found the time to fix it yet.
Apparently the host's backup also didn't work, and my own PC with the latest version of the site was completely crashed just before the server got hacked 

Games published by our own members! Check 'em out!

[sunsett]

Reading this thread all I can say is WOW!

Looks like a lot of programmers need to think just a little about security in their development process...really....I'm just amazed.

[markmistry]

Hmmm..security so how do i know if i implemented my game correctly with my mysql ?
How does one go about testing something like that with out inviting hackers?

When i first started writing my server side i had security in mind so hopefully i wont have much trouble.
My clients dont communicate with the mysql directly they have to go through a java application core server that acts as a messenger to mysql this is the same with my game servers.

If you know what question to ask i will be able to answer it the way i understand.
seeing as i am relativley inexperienced i may not know all the correct java terminology 

What i want to know is how do you work out what determines who is the best regarding a fighting game ?

[Mike]

How does one go about testing something like that with out inviting hackers?

Think of the normal ways to go around security and try to make sure the base is covered. Once that is done ask on a hacking forum if anyone has the knowledge to break your impenetrable website and you should get replies, hackers likes a challenge