6

I have used this html5 Snake game on my website , but problem is that it can be hacked so easily .

http://cssdeck.com/labs/classic-snake-game-with-html5-canvas

Hackers can inject scores and submit their own scores.

Is there anyway to protect score variable inside the script not to be injected by clients ?

Improve this question
2
  • They could also submit fake scores by calling $.ajax or something similar in the browser console, without injecting any variable.
    – neuront
    Commented Jul 30, 2014 at 3:29
  • @neuront and anyway to prevent that ?
    – Mac Taylor
    Commented Jul 30, 2014 at 3:32

1 Answer 1

Reset to default
7

Not as long as the game is implemented entirely on the client side. The "solution" is to implement the game rules and storage on the server side, and have the client be mostly UI, but this might be overkill for such a simple browser game.

You could make it harder by obfuscating the code, but that would only stop people who don't actually care.

If the game is deterministic you could keep a log of all game "events" and send that to the server, where the score would be calculated. This would make it more work to fake a score, but it would still be possible to fake, and it would also be a lot of work to build such a system.

Improve this answer
3
  • 1
    Thanks, so no way to immune this game from being hacked. I heard about private variables , isn't it useful here ? stackoverflow.com/questions/3194632/…
    – Mac Taylor
    Commented Jul 30, 2014 at 3:35
  • Hm. The approach there would prevent someone from casually changing variables "live" in the javascript console. It would do nothing to prevent them from submitting whatever score to the server though. And they could get around it in various ways like just substituting an edited script file. I would put that in the same category as obfuscation - it makes it harder but only stops people who don't actually care. Not a bad idea though as it also helps prevent global namespace collisions.
    – Jason S
    Commented Jul 30, 2014 at 3:43
  • And what about using console.log() to save all moves and at the end before saving the score check the log and if the log is equal to score then it is true. Can anyone also inject to console log ?
    – Mac Taylor
    Commented Jul 30, 2014 at 5:06

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.