0

I making a javascript game where the player builds up a score against a count down timer. When the timer runs out I display a form that show the score and lets the user enter they username (arcade style). I'm going to use the POST method send the user score to a php file that will store it somehow (database,textfile. or something). How do I prevent people from fiddling with the JS code and passing some new value thru that isn't the correct score (or something that isn't malicious).

At the very least, what are the safest methods on the PHP/reviving end to at least only accept and integer value?

Improve this question

1 Answer 1

Reset to default
2

That's a well known and difficult problem. I'm not sure it ever has a good solution. The user is the client is JS, so they have 100% control over what's sent to the server.

The only thing you can do and force, is server side validation. Don't just send the score. Send the path, the method, the steps, etc. Starting a session/game/level should also happen on the server, because the timestamp could be faked from the client.

You can make the whole game in JS, but start and end it on the server and remember all the steps. This might mean double step/path validation: JS (instantly) and server.

(I had the same problem with http://games.webblocks.nl/110 which stores steps (clicks) in g_stack.)

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Thanks. That's a pretty good idea. But lets say I just wanted to accept any score (with some reasonable limits); is there just a way safe way to only accept some int value with some parameters? This is assuming that I don't mind people sending "fake/cheated" scores.
You can accept anything you want, with any validation you want. Are you looking for advice or code? What kind of parameters? What format does your score have (1 int, array of ints, 3d matrix, etc)?
Yeah, I just want to pass 1 int. I realize that I can set some parameters on the php end. I don't have a lot of experience with it yet though and just wanted to make sure I wasn't forgeting something crucial thing about accepting post data. I guess if it's just an int and I don't allow anything else in then it won't be a problem.
What you could do to make it slightly harder to hack, is have JS fetch a secret token from the server when a session/game/level starts and then send that secret token back with the score. That's something the server can very easily validate. It's not nearly foolproof though: the token will be stored in JS, on the client, so the client controls it.
The morale always is: the client controls everything. With devtools these days, it's super easy to fake ajax calls etc with custom params.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.