Question:
I want to create a game entirely in html5 / css / js . The only interaction with the server I plan to do is send points and, possibly, some more data, as well as a request for player ratings. This information will be entered / fetched from the database using php .
How to make sure that the user cannot send "faked" data to the server?
I thought, maybe, when loading the page, I can transfer some code to one of the variables, and then on the server then check it again …
Answer:
To prove that it is impossible to prevent cheating is simple: imagine that this is not a game and points, but a bank and money. The client-side code, down to every variable, is entirely in the hands of motivated villains. Of course, they will disassemble, understand how, and cheat.
But this is just a game. Therefore, it is enough to complicate the wrapping to such an extent that hardly anyone would be puzzled to turn it around.
You might think about time : let intermediate data be sent to the server during the game. Ex. for Tetris, the acceleration of the game is predictable. And if at time t1 he has already scored x1 points, at t2 – x2, then the super-result is xs, he can gain approximately at time ts. A school hacker is unlikely to be bothered to select such a dynamics with the sending of intermediate results, and you will be able to distinguish those sent by a live game from the wound ones.
You can not send glasses head-on, but arrange a dialogue between the Client (C) and the Server (C):
К: хочу отправить рекорд
С: что, правда? Ну вот тебе случайное число.
К: прибавляет к случайному свой результат, и проделывает ещё какие-то вычисления и результат тут же отправляет серверу.
С: ок, ты справился с заданием почти мгновенно, вроде все ок, записал результат.
If the calculations are non-trivial, and the JS code is obfuscated, few people will get to the point and fake the result.