For example I have website where you can login and have points. You can earn points by playing a snake game that is created with p5.js, so every time you play the snake game you earn points depending on your score. So in my sketch.js I have a AddPoints function called every time you play and hit a wall or yourself in the snake game.
function AddPoints(p) {
$.ajax({
type : "POST", //type of method
url : "./index.php", //your page
data : { pts : p.toString() },// passing the values
success: function(res){
}
});
}
this function uses ajax to call POST on my index.php every time I finish the game.
<?php
if(isset($_POST['pts'])) {
$pts = $_POST['pts'];
$query = "UPDATE user SET points=points+'$pts' WHERE username='$username'";
mysqli_query($db, $query);
}
?>
Now the problem that arises from this, is that players registered can just use Request Maker Google addon to make a post request and change the value of pts to earn free points. Any work around to this which allows me to add points to mysql database every time you earn points from the snake game with out hacking it and getting free points?
Advertisement
Answer
A more secure way would be to mirror the point calculation logic on the server, and parse the user’s keystrokes and the position of the snake. For example, you could send a websocket message every time there’s a new game tick, and also send a message about the location of the food pellets so the server can fully replicate the state of the game. When the snake runs into a wall or itself, you’ll be able to detect it both on the client and on the server. No $.ajax should be needed at all, if the client’s snake direction and food pellet locations are sent to the server over the websocket.
Maybe use a random number generator library so that you can start with a seed on both the client and server. This’ll let you determine the food pellet locations without any additional requests, and will let you detect those who might be trying to hack into the game by sending duplicate socket messages. (Have the seed sent to the client by the server.)
If your code is sufficiently long, another method would be to obfuscate the request payload so that it isn’t clear from looking at the network tools what exactly the requests mean, allowing your server to detect and discard malformed or duplicate requests.
In general, when stuff is being done on the client-side, fully preventing botting in situations like these isn’t possible, but you can take steps to mitigate it and make it a lot harder to be exploited.