Geek Answers Handbook

Xmlhttp / js / perl / php based browser cheat

Suppose that in a browser-based game, the completion of an action (for simplicity, you can say that someone clicks on a link that increases their rating by 100) by clicking on this link that would have a URL, for example increase_score.pl?amount=100, which Prevention is someone just sending requests to the web server to execute this command:

  • Again and again, without completing the task of clicking on the link and
  • Sending a false request to the server on which the rediculus value is set to 100000.

I am aware of the check HTTP_REFERER, but I know that people can get around this (not sure how) and other than some restrictions checking the second option. I'm a little dead end. Anyone having this kind of problem? Solutions?

+5
source share
10 answers

Nothing can stop them from doing this if you implement your game as you suggest.

You need to implement the game logic on the server and assign points only after the server checks the action.

For example: on SO, when someone votes your question, it is not sent as a team to enhance your reputation. The web application simply tells the server user X to vote for the question. Then the server checks the data and assigns points if everything is checked. (Not to say that this is a game, but the required logic is similar.)

+15
source

: . , (), -, , .

, . , , , , , . " , , , ".

:
: , .
: !

:
: , .
: , , , , gazillion points... . . , "Go Fsck Yourself, Cheater" .

, , , cookie "damn-near-impossible-to-guess", , , .:-) ( , Google .)

+4

() , -, .

HTTP_REFERER -.

+3

cookie/.

+1

, . , .

, .

+1

, .

-, - POST, GET. GET , HTTP.

-, , , - Trust Trust . , , . , -- .

Ben S , , . , , . , , , , . . . , - , "completedLevelFour". , ?

, , - . -, , . , , API ? , . , .

100% . . Facebook ( API ). , , , reqeust.

- . , , " ", , , . , .

!

+1

, . , , , , , . , IP-, , -. , Stackoverflow -, , , , . , , .

, (, ), , (, 100 - ). , , - . , - , .

+1

Ahmet, , , . . , 100 :

increase_score.pl?amount=100&token=AF32Z90

, , , . .

, .

0

URL- . - :

/score/link_88_clicked/
/score/link_69_clicked/
/score/link_42_clicked/

:

  • , , .
  • .
0

If you want the game to run only on your server, you can also determine where the signal was sent from in your receiving trick and ignore everything that does not come from your domain. It will be a real pain to fake your codes if you need to escape from your dedicated domain to send points.

It also blocks most CheatEngine tricks.

0
source

More articles:


All Articles