- Home /
Safest way to send data to server
Hi there. I was wondering, what's the best and safest way to send data, such as high scores, to my (php) server ?
I was doing a little research (but the articles seemed kinda old) and read that using MD5 is a good idea, using a secret key. For instance, I could send the username, score and the already encripted concatenated string (username+score+secret_key) to the server and validate them there.
But is there a better (safest) way to do it? The example above is kinda simple, but what if it's more complex like leveling up or claiming a prize/bonus (even for these, I can think of ways around like sending the exact new level, or checking if the prize is still available... I don't know. I can't think of a really complex example)... but that's not my point, my point is... is there other option? Or using MD5 + a secret key the best way?
Thanks!
Answer by YoungDeveloper · Aug 25, 2015 at 10:58 AM
Safest way would be not sending score at all. Instead you send client input and other activities. Server checks are those actions legit or not. If yes, action is executed and if result produces score, new score is added, saved and sent back to user just for visualization.
If you keep values on device then anyone with basic understanding of google search can modify your values.
There are sniffer program that will track your variables and allow the user to pass any value.
Sending data back to server enables possibility to track illegal data bumps. A few years back, Angry Birds had some browser hack to enable unlimited power-ups. People were getting high score that were discouraging the legit players.
Rovio just went to wipe any high score and data that looked suspicious on their server.
This is the kind of things you want to keep in $$anonymous$$d.
Using GameCenter is already a first step as it allows to control the values that should be passed.
@fafase That's the reason i don't use PUN, as you trust the user with the data he sends. You will never be able to protect outgoing data, that's why data legitimacy should be checked on server side. I know devs who are trying to create client side anti hack checkers (for PUN in this example), but it's been 2 and half years an they are still struggling. They have eli$$anonymous$$ated 10 year olds though.
Thanks. I get your idea, but I believe is the same thing if I send the client inputs or actions to my server since I'm still sending data. That's why I mentioned the other example above: where the player reclaims a prize, I would ask the server if the user can reclaim that prize AND if the prize is still available.
I've worked with Flash games for a while and I've always been dealing with people who try to manipulate the POST or GET data even from the browser, or creating their own forms (html) and then send data to my server. I'm developing mobile games now with unity and I know that anyone with enough knowledge (not the average user) would be able to see what data i'm sending to my server, that's why I was wondering if there's still a safest way to do so.