I have basic common question and i guess most of beginners are also face the same problem…
Well for example,
If game is contains php links and php files uses to store data to database… (Basically storing email and score)
So in short flow is Game> PHP server > DB
How and from which point i should stop the user to submit huge score? (Which is impossible for normal user to get)
If you are in place what would you do to protect this type of hack?
If anyone could help in this case will be appreciated!
There isn’t a simple solution to that. Normally to prevent this fully you will need to setup an authoritative server that can validate the game (either on real-time or on completion). That involves sending the player input and replaying the game on the server to find potential cheaters.
That way the user doesn’t submit his score, but your server does. Of course that is a big task and for most smaller/casual games doesn’t justify building all that infrastructure.
If that’s the case, you could setup some limits to clamp the maximum score that can be submitted. Also check how often the same player submits a score to find bots (cool down period). If it’s a 1v1 game you could have both players submit the winner’s score to potentially find if the winner messes up with his value.
Hope that helps.
I fully agree with @Leonidas, personally I like the Quake 3 engine which comes with an authorative server, battle tested over many years - and it’s open source (GPL though, not MIT )
A certain amount of obfuscation or actual encryption may also help (e.g. no simple JSON requests that anyone can inspect and resend in F12/DevTools).
Thanks for deep information @Leonidas and @kungfooman.
I just came across this video about hacking PlayCanvas Swerve game
And here is the game link
And when i tried it… It does not worked for me…
I also checked for source code
Code seems pretty normal and should be able to access it from outside…
But i failed to access them…
How i can achieve this type of security? @Leonidas @kungfooman
There is no protection (you just don’t know how to pick a context in devtools )
Making these “defines”
const could even help a bit, but that’s not an ES5 thing.