you should have an encrypted packet that sends to the server then the server will validate it and add it to the table or else it doesn’t. Never put the mysql pass/user in the client because then they can access your SQL server, and you’ll have to also portforward 3306.
Best way IMO is to send a score gain packet everytime they gain a score then send an end of game packet to add it to the highscore.
I am at school right now. I will check it out as soon as I get home. thx
Just so I can get another emboldened reply of what not to do from Markus:
What you really should do is have an applet save to a text file with all the high scores. Then you don’t have to worry about SQL or anything! Yay!
;D
In that case you would have to use a signed applet?
or
The applet tells the server side program the highscore, the server side program writes to a text file, database entry, etc. <-- what I’m doing.
Hi, this is really interesting. I’m trying to learn a bit about php.
I’ve got a question: can you put passwords in your php file which is in a public folder in your web directory? I mean, can’t anyone just access your password then? Or does the php server program pre-process the php file so that it never sends your php code, but just the html code that the php script generates? I’d really like to know the answer to this, let me know if i haven’t described the problem properly. Thanks 
PS
This is funny, from the php tutorial here: http://www.w3schools.com/php/php_intro.asp:
[quote]What is PHP?
* PHP stands for PHP: [b]H[/b]ypertext [b]P[/b]reprocessor
[/quote]
How does that make PHP, where does the first P come from?!?!?
The PHP interpreter pre-processes everything between <?php ... ?>, so those commands are hidden. Anything outside of those tags will be visible.
<?php
function bla() {
// none of this code is visible
}
?>
This is visible!
<?php
// but this isn't
?>
Of course, there are some cases where data outside of the PHP tags is displayed based on a condition, like:
<?php
if (someCondition) { ?>
You'd only see this if someCondition is true
<?php
}
?>
Thanks heaps woogley, that makes sense now.
By the way, your tutorial rocks 8)
Thanks… I hope you find it helpful. But also heed what was said above… you wouldn’t want to send the name/score unencrypted like that. The tutorial is meant to show the basic structure you can use to record scores, but you should also look into obfuscating the data sent from the client.
OK, so is the bottom line that there’s no need to put the database name or password in the client? So maybe if you were to modify the tutorial, the database name and password would only be stored in the php script, and rather than having the client submitting a score by sending this URL string to the server (which includes the password):
it might be better to send something like this:
http://yoursite.com/highscore.php?action=submit&name=Bob&score=100&access_code=1234
So that the client does not have the password and database name. And then (somehow!!!) you should check the score in the php script to stop someone from sending bogus scores or spamming the database with lots of scores…
Yea, I really don’t know why that script even has you specify a username/password. Probably to keep script configuration to a minumum. These days I wouldn’t even think about doing that in production.
BeetleMania submit a score like: http://url/submit?x=30237afc49038&y=3498573489573moregarbledjunk
obfuscated, but crackable.
Cool thanks
Sending an encrypted version of the score, and/or a hash of the score (with salt!) will make it much harder for someone to fake a score submission by hand. And use POST instead of GET or you’ll Break The Internet.
Of course this doesn’t protect you from someone decompiling the client and jimmying the high score before it’s sent, but it’s better than nothing.
It’d take me about three minutes to crack that.
I’m sure you would but it’s better than just sending the score as plain text.
Frankly I’m of the opinion that unless you can actually send a deterministic replay to the server that it can replay everything is going to be easily circumvented by decompilation. The question whether you feel it worth your time to do it properly or whether you can get by with manual moderation.
teh freehostia is not free!!! tisyas must pay $10 to get a domain name. is there another way? aso i tried the condition thing and even if I amde it false it still appeared
Please at least try to write in a readable manner. One simple reread would have made it. It is just easier for us (especially the non-english speakers) to gasp what you want. Also it’s more likely to get sensible answers.
Quote from http://www.catb.org/~esr/faqs/smart-questions.html#writewell:
This quote might be a preconception, but if you had actually tried to sign in Freehostias “Chocolate” package, you would have found out, that you can use a subdomain under freehostia.org for free.
[quote=“Orangy Tang,post:34,topic:32909”]
Agreed, in practice.
In theory, there are others even more secure solutions.
For example, you could make the client just a video player, then run the ENTIRE GAME on the server, sending the rendered video of the game screen to the client, and sending back inputs to the server.
There are of course less silly variants derived from this thing, including the possibility of having clients verify each other. (While a client is playing, have it re-play a pending highscore entry. If more than, say, 50 clients with different IPs all end up claiming the same score for that entry, allow it.)
Even replays can be faked.
I guess whether or not highscores are faked all depends on how bad people actually want to cheat. Announcing that cheaters are banned might help with that too.
Or writing a bad game 
Personally I never had problems with fake high scores (at least not that I’m aware of :persecutioncomplex:), and I didn’t have much security in the high score posting but did have quite a lot of visitors.
Just wantet to play cosmictrip.
You seem to have a problem with a turkish hacker:
http://www.gagaplay.com/cosmictrip/index.html
edit: seems to be a ‘script granny’ who hacked more than 200.000 sites.
Yes, I know…
It wasn’t hacked through my highscore saving though (apparently it was hacked through another site running on the same server, running Joomla)
I haven’t found the time to fix it yet.
Apparently the host’s backup also didn’t work, and my own PC with the latest version of the site was completely crashed just before the server got hacked :’(