2

I'm using HTML, JQuery and PHP/MySQL. I understand for the most part that if I want to make this game safe then the server needs to do practically everything, but in some situations the game must tell the server to do things. In my case this is a RPG type setup, it will need to at times send a POST request to a PHP script via an Ajax call that updates, inserts or deletes from the database. Such as a player wins a battle and he's exp needs to be appended to, or a player takes a turn in a battle and it needs to work out the amount of HP taken off the other enemy and return it as well as updating the enemy's HP.

Lets say when the player clicks "Attack" and it runs a JavaScript function called playerMove('attack'), what stops the user going into their browser developer tools and running this function manually? Or using similar code on an alternative server and running cross site Ajax calls to the same public scripts on my server?

Is there any way around this problem? Even if I had a game that was made as a client side application (Like C# or whatever) wouldn't these problems still exist, but just harder for users to execute. Or would connecting to MySQL directly through C# be mostly safe if done correctly. But what about C# sending POST requests to PHP scripts, wouldn't that bring you back to the problem that as the scripts are public they could be POSTed to from other sources?

Improve this question
3
  • You're right about the server having to check almost everything. Commented Dec 3, 2013 at 11:25
  • 1
    So the aim of the game is to decrease your opponent's HP? Commented Dec 3, 2013 at 12:05
  • 1
    Lol yep, the more HP you detract from your enemy, the more brown sauce you collect for extra power in future battles! Commented Dec 3, 2013 at 12:15

1 Answer 1

Reset to default
3

Basically, every time a player "attack" request comes in, the server needs to do at least the following:

  • Do basic validation on the data in the request.

  • Check that the subject player attack request is actually coming from the correct account.

  • Check that the player is currently in battle, it's his turn, the target of the attack is valid, the player doesn't have any status effects preventing attacking, etc. Any game logic that prescribes that the player can't attack right now.

  • Calculate the attack's effects.

  • Update the database.

  • Return the results to the client.

  • Return the results to all other clients, through long polling, WebSockets, etc.

Now, if the player tries to make the AJAX call when they shouldn't be able to, your server validation should prevent it. Remember, the client is all input/output and can't do any game logic without tons of code duplication between your JS and PHP.

Making a game in PHP, especially multiplayer, requires a ton of overhead and boilerplate. I'd honestly think about using another language/framework. For example, Meteor hooks up a lot of this stuff for you. Client, server, and database data are automatically synchronized. It also has latency compensation so the client can run the server code to get an expected result, and then update to the actual result whenever the server eventually responds. This would make your game feel like it's working in real time, while still giving the server the last say on whatever game logic happens.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks Cuberto, that seems to be the only way to validate it I guess! It just seems a bit daunting validating every single request individually in different ways considering there will be 100's of request scripts. I will definitely look at Meteor, thanks for your answer!

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.