StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
303702
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
2
CommunityOwnedDate
CreationDate
2008-11-19T22:53:22.107
FavoriteCount
0
LastActivityDate
2012-02-13T22:46:13.127
LastEditDate
2012-02-13T22:46:13.127
LastEditorUserId
5811
OwnerUserId
5811
ParentId
303255
PostTypeId
2
Score
4
ViewCount
0
LastEditorDisplayName
text
Body
The answer to your question is, it depends. It depends mainly of the estimated popularity of your game. From a security perspective, your solution is about as secure as sending the highscore in cleartext. What you're doing here is called security by obscurity, which, according to who you listen to may have its benefits in some cases. In this case it's probably that Joe the average user would not likely be able to crack it himself. For anyone with some l33t h4xxor skillz you might as well send it all in cleartext. If all you want is to stop Joe, then it's probably enough, at least until someone creates a fake client for Joe to download (which depending on the popularity of your game could take anything from a couple of days to never (or faster if it's WoW)). A better solution is the one given by @Kent Fredric. However as it says it doesn't solve the problem of someone creating a fake client. A solution to that might be something like this: <ol> <li>Give every action a player can perform an id.</li> <li>Store every action the player performs in a list of ids.</li> <li>When the game is over hash the score, the list of actions and encrypt it with the public key received from the server. (see Kent Fredric's post for details on this)</li> <li>Send the encrypted hash (more commonly called digital signature) to the server together with the score and the list of actions performed.</li> <li>Let the server "play" the game according to the actions in the list.</li> <li>Verify that the same score was attained.</li> <li>Verify that the digital signature is correct.</li> <li>Update server highscore list.</li> </ol> This will guarantee two things: <ol> <li>The score comes from the correct client.</li> <li>The score is correct in regards to the game played.</li> </ol> But there's still one serious flaw to this scheme. There's no way of knowing that the game was in fact actually played. If the client is compromised, the list could just be a prefab of a "perfect game" that is sent to the server. It's not possible to directly tamper with the scoring system, but with enough effort someone will most likely be able to create a list of actions that comprise a "perfect game". However it gives a little bit stronger guarantee than just using the solution in Kent Fredric's post. To solve the whole problem would mean that you must validate the client somehow. This is very difficult since most ways of doing this are easily circumvented. Finally I just had to comment on your choice of hash algorithm: MD5 is a great hash algorithm for those still living in the nineties. For the rest of us I recommend SHA-2 or at least SHA-1.
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. POSuggestions for (semi) securing high-scores in Flash/PHP game
 singulars
 PostTypePostTypeId
 PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. USAndreas Magnusson
UserOwnerUserId
1. USAndreas Magnusson
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
3. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. COThis scheme can be improved further by having the server decide and send the random seed for each game. E.g. Client tells server it wants to play. Server says, ok, play the game initiated by seed nn. Then when the client wants to upload the high score the server checks that the high score is in fact for game nn. Even this scheme can be hacked, but then the whole game needs to be rev. eng. and reconstructed. Which can be done (and has been for some popular games that uses this scheme).
 singulars
 PostPostId
 PO
 UserUserId
 USAndreas Magnusson
2. COYeah, sure, the client could probably still brute force permutate the action list to find a sequence that produced a desirable score, but then you're at least elevating the computational complexity required to generate a fake score from O(1) to something more O(n^3), having to brute force permutations to find a fitting score should at least keep the real amateurs out, and they'll resort to botting instead.
 singulars
 PostPostId
 PO
 UserUserId
 USKent Fredric

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.