views:

1284

answers:

5

I have little knowledge of Flash but for a little Flash game I have to store score and successful tries of users in a database using PHP. Now the Flash runs locally on the users computer and connects to a remote server. How can I secure against manipulation of game scores. Is there any best practice for this use case?

A: 

This topic has been covered here @ stackoverflow, at least in part

http://stackoverflow.com/questions/73947

Peter Bailey
+1  A: 

What you are asking is inherently impossible. The game runs on the client and is therefore completely at the user's mercy. Only way to be sure is running a real time simulation of the game on the server based on user's input (mouse movement, keypresses), which is absolutely ridiculous.

A: 

As ssddw pointed out, this is fundamentally impossible. The code to send the score is running on the user's computer, and they have control over it and everything that runs there.

The best you can do is to periodically alter the encryption mechanism so that it takes score-manipulators a while to figure it out again. You can only minimize the damage, never eliminate it, but on a site like the one I work for, if we've got only a hundred people sending fake scores, out of the hundreds of thousands we see every day, we consider that well within the realm of acceptable. (We still crush those we catch cheating, but we don't consider it much of a problem.)

dirtside
A: 

You could at least throw out scores that are above some threshold that you would deem legitimate. It still leaves room for more subtle maniputaion of a high scores list, but will at least help relieve the obvious frustration of seeing an impossible to achieve score topping the charts.