I'm finding lately how unsecure Javascript is when programming a game (I'm trying to do a turn based RPG and currently the battle calculations are done through Javascript which any player can cheat with of course giving themselves as much XP as they want), so I'm wondering if I were to move my battle screen to flash if this would be any more secure, or is there just as easy of a way to cheat this?
views:
117answers:
3
+1
A:
This is very slightly safer as flash source is harder to read then js source. However neither is particularly safe.
Jakub Hampl
2010-05-07 00:23:39
I agree. At least you need a bit more than Firebug to hack it.
Diodeus
2010-05-07 00:30:15
Firebug's ‘Net’ tab will show you what Flash is requesting too :-)
bobince
2010-05-07 01:11:52
I'm of the option that something is safe or it's not. Slightly unsafe does cut it, I'm afraid, so it's server-side or nothing.
Shane
2010-05-07 01:38:35
@bobince: Firebug only works for HTTP. Flash allows plain TCP. Also, JS is always distributed as source version and plugins like greasemonkey allow you to manipulate the runtime's state at will. Flash does make things harder to hack.
back2dos
2010-05-07 09:40:04
+4
A:
Come on. It's the same question really. Answer remains the same too:
No matter what the game, whether JS Flash or native binary, if the scoring system is vulnerable, people will tamper if the game is good enough. Stick to clever serverside every time.
This is not a problem that can be solved by obfuscation at the client end. There's plenty of prior art concerning keeping high-score tables/game data secure. Sharpen your google-fu and have a look.
Although the title of this post would suggest it's not applicable, I'd consider the difference between a browser/non-browser game to be irrelevant in this regard. As such, take a look:
http://stackoverflow.com/questions/25999/secure-online-highscore-lists-for-non-web-games
spender
2010-05-07 00:32:48
Thanks. Sorry about the quasi-double post, I was just desperately trying to find a way make a turn-based RPG where you battle something taking turns until winning or losing without refreshing the page, but I'm quickly finding that its impossible (I thought on was onto something brilliant when seeing that there currently weren't any lol). Once again, thank you, I just needed the verification.
Sean Madigan
2010-05-07 00:55:10
@Sean: you don't need to refresh the page. use a persistent JavaScript or Flash implementation that sends user input to the server. The server executes game logics and returns the result. The client then gives visual feedback (e.g. monster is hit and loses 15 life).
back2dos
2010-05-07 09:37:04
+1
A:
As I said in a previous answer, a secure system can not trust client score input. It doesn't matter whether the intended program is Flash or JavaScript. Once you send the program to the client they have any required key. So you can't rely on the client giving you accurate scores. The only reliable way to do it is to move score calculation to the server. Then, for a bot to play it still would have to calculate every movement manually.
Matthew Flaschen
2010-05-07 00:33:53