Safest way to update game score from client to server database? Javascript

Question

So I have this game that is completely run on the client. No server interaction what so ever apart from downloading the initial scripts to play the game. Anyway at the end o

Answer 1

You seem to know this already, but just to stress; you cannot stop someone doing this; you can only make it as hard as possible!

Assume you currently submit the score as:

/submit_score.php?score=5

Someone watching in Firebug can easily distinguish where the score is submitted, and to alter it. submit_score.php gives it away, as does the name of the parameter. The score is a easily distinguishable integer.

1. Change the end point: /interaction.php?score=5
2. Change the parameter name: /interaction.php?a=5

It's getting harder for the user to work out what is going on.

Now you can make the score harder (again, harder, not impossible), to change. First, you can encrypt it (obviously you'll need to be able to decrpt it later).

1. Base 64 encode it.
2. Numbers -> Letters (1=a, 2=b, etc).
3. Reverse the order of the score representation.

You name it, you do it. So you now have interaction.php?a=e.

The next thing you can do is hash the score with something else. Send the hash with the score, and recalculate it on the server. For example, md5() the score with a random string, and send the score (encoded), the string, and the hash in the request:

/interaction.php?a=e&str=abcde&hash=123456789abcefbc

When the request hits the server, do:

if (md5($_GET['a'] . $_GET['str']) !== $_GET['hash']) exit;

Obviously people can (relatively) easily go through your JavaScript code and see what's going on; so make it harder for them there. Minify and Obfuscate the code.

If you make it hard enough for someone, they're going to try understand your JavaScript, try using Firebug, not understand what's going on, and not bother; for the sake of getting a few extra points on your game.