Picnic highscore system for HTTP written in PHP

Shared Code
#1

Hey guys! :slight_smile:

I wrote a super-simple highscoring system for HTTP in PHP and MySQL. I figured it would be appropiate to post it here, since… online highscores for games.

It works using only GET- and POST-requests, and JSON-formatted text. It is currently very basic feature-wise, and not cryptic at all to developers. It’s supposed to be easy to change for your needs.

The script can be found here, along with a few words about how to to integrate it:

It is published as public-domain, so knock yourselves out!

If you have an opinion about this, I’m very interested in hearing it.

I’m planning to add a few example client implementations, to show how easy it is to integrate.
I’m also planning to add further functionality to the, currently, fairly limited GET-requests.

Take care :slight_smile:

#2

Cool, I like it, but it seems like it would be extremely easy to modify the scores externally, no?

#3

You are right! As with any REST API, it can be accessed from everwhere equally.
Currently, there is next to no validation going on in the highscore. This is because scores are calculated differently in every game, so I could not implement any universal score-validator.

This is what I suggest doing, to prevent cheating:

  • Add a UNID field to all POST-requests. That way hackers can’t spam by resending packets.
  • Add a few statistics of the game to all POST-requests. Then check on the server, if the game was viable. For a fly-the-copter type game, send the flight time, the powerups collected, the seed for level-generation and place of death. That way you can check if the score is equal to what the flight-time/powerups suggest, and you can check if there is an obstacle in the place the player died, resulting in death.
  • If you’re into it, you can encrypt the “score” field using a predetermined seed.

All of the above are security through obscurity though, and can be broken. Then again, it’s next to impossible to completely prevent cheating unless the game logic is executed remotely.

If you can think of any more ways to prevent cheating, please do tell. :slight_smile:

#4

Well, my suggestion is to look around, how others have done.
For example, the big game portals, like kongregate. It has it’s own api, it has lots and lots of games so it would be logical to assume they also have had lots and lots of problems :slight_smile:
Also, I think that google had a gameportal thingy (cant’ remember the name) and a scores api.

#5

Okay, I took a look around. :slight_smile: It seems that most of these places (Kongregate included) has problems with keeping their highscore table safe. Not because people figure out an exploit in the submitting process, but because they edit the score in the actual game. No kind of security on the highscore end can prevent this, sadly.

I guess it just goes to show that it is an almost impossible task, with Cheat Engine out there.
However, I think I’m going to encrypt all the fields in the JSON, just to add another layer for the actual network hackers.

I’m also thinking about adding a data-array to the JSON, containing data about the game.
That way, developers can plug-in their game-specific values and do validatory calculations on them, on the server. I’m confident that would stop Cheat Engine-powered cheats.

What do you think of this? Are these good ideas, or am I unnecessarily obscuring this for developers?