[futureal]

Quote:

Originally posted by Ian
All these games can be easily hacked by memory editing. I don't know how to fix this, just pointing it out.

As far as I know, any Flash movie can be edited in this manner. Flash security is very, very limited. There are ongoing discussions and "challenges" on FlashKit (www.flashkit.com) regarding security.

The only thing I can think of that word be worth doing to prevent cheating is recording a user's "time of entry" onto the game page and then his/her "time of entry" onto the score page. Using the scoreboard editor, an adiministrator could easily see when a user is fooling the system -- e.g. a score of 1+ million in Tetris requires, what, 30 minutes of playing?

Really though, there is no foolproof method here. Anybody who knows how to hexedit can probably find a way to beat the system, but I am not too worried about it. I watch for things like new accounts immediately getting the highest score, and users having played once or twice and getting the highest score.

As always, I am open to suggestions on this matter if anybody has them. Security is a big issue here, but unfortunately Flash/PHP interaction is inherently insecure.

edit: This also addresses PlurPlanet's problem/question. I think that after reading this stuff, I may work on implementing my idea above. It would add yet another table and a few extra queries but it sounds like it would be worth it. In general terms, here is how this would work:

• When a user goes to a "Play" page, an entry is recorded in the security table showing the user's ID, the game's ID, and the current server time.
• When a user goes to a "Game Over" page, the security table is checked for the user's most recent open entry for that game, and the entry is "closed" by updating the record with the gameover time.
• Each time a user goes to a "Play" page, the database checks to see if there is an "open" entry for that user and game; if there is, it is replaced, otherwise a new one is created

This would add 2-3 queries to the play page (the DELETE would not always occur) and 2 queries to the gameover page, as well as a fifth table to the arcade. The advantage is that it is completely server-side, so a user will not be able to fool it. The disadvantage is that a clever user could still fool the system if he/she knows how it works. However, it should make it a lot easier to spot.