There is a rule: Never trust front end data when it comes to the back end because there is no way to know the origin.
Salted hash parameter sha(randomstring+int) sent with the score would be a simple deterrent for wannabe script kiddies who don't have a clue (99% of cheaters). A bit deeper layer of defense would be a challenge - response confirmation cycle. A cheater would send just a number. Application would send a number, then also replied with a proper response to the back end's challenge which would confirm that the submitted score is legit. If you make the time window for legal response very narrow (like 2 seconds) manual replying is out of the picture. Whole app would have to be reverse engineered. The most foolproof method is the social one: Use statistics to detect which IP addresses have gradual increase in score (getting better at the game) and which IP addresses came with the best score out of nowhere to eliminate the obvious ones. Then make the graph of the user's score history available for everyone to see and scrutinize. If you are on the top and everyone knows that you cheated, the only thing you achieve is to make yourself look stupid (and to make people report you as a cheater and force you off the score list). On Tue, Dec 14, 2010 at 15:08, 冷雨 <[email protected]> wrote: > If I write a javascript game(e.x. classical Pacman) which has a online > rank list, like most flash game. > It send players' scores to server by XMLHttpRequest, and then refresh > the rank list. > How can I avoid cheating? If a player write his/her own javascript > sending my server "999999"? > As javascript run on client entirely, how can I know whether a message > is from my script or not? > > -- To view archived discussions from the original JSMentors Mailman list: http://www.mail-archive.com/[email protected]/ To search via a non-Google archive, visit here: http://www.mail-archive.com/[email protected]/ To unsubscribe from this group, send email to [email protected]
