Hi, I'm making a javascript program for rolling dice for a roleplaying
game that's played in a forum. The die roll gets generated, gets stored
as text in a hidden form field, and then gets written to the mySQL
database upon form submission.
What I want to do is prevent cheaters from being able to create their
own die roll, and the best way I've come up with to do this is to
encrypt what gets stored in the hidden form field. However, since all
javascript code can be viewed by the user, they can see what key I'm
using.
Any suggestions on what to use as a key that a user cannot get access
to? Data hard-coded into a java applet, perhaps? Even that might be
hackable by someone a tool capable of inspecting javascript variables
at run-time.
Is it simply impossible to prevent cheating if my code is in
javascript? There must be some way to secure hidden form fields to
insure that their content is code-produced only. Is there? Or is there
some other way to make a cheater-proof javascript die roller I haven't
thought of?
Jul 1 '06
12  3137 
I question whether this actually solve your problem, but perhaps only
because the problem hasn't been stated precisely yet :)
I guess the precise problem is simply that I want to make a
cheater-proof die roller as a forum mod. (The forum is SMF, BTW.) I
want to do it in javascript for speed.
>If different results, what prevents the user from reloading until
he gets a good number?
As long as he wanted to store it in a db serverside, he should have
no problems maintaining state during the session serverside.
Yup, so a user who keeps rolling will have each roll put into the db.
>Yep, here's one cheater-resistant way. The CHAP protocol uses a technique
to prevent such a man-in-the-middle attack. And using that, no, there's no
cleartext password exchanged over the wire.
But what prevents the player from fixing the die roll itself.
Secure transfer is not the problem, but preventing him from substituting
Math.random with function(){retu rn 1.0;} is.
Thanks for the info about CHAP. It looks very interesting, but yeah, I
think it's not good enough in this case. The die roll needs to be
generated server-side or else it will always be vulnerable to
client-side manipulation.
With AJAX, I can dynamically load a simple php file using javascript.
This simple php file will simply generate a random number, insert it
into the database, and return the result to the calling javascript
function. Even if the user manipulates this, he can't (theoretically)
ever manipulate the database.
To see what I have so far, check out: http://herbaloutfitters.com/dierolle...;num_replies=2
Click the two red dice to open the die roller popup.
Kanon go**********@he rbaloutfitters. com writes:
With AJAX, I can dynamically load a simple php file using javascript.
This simple php file will simply generate a random number, insert it
into the database, and return the result to the calling javascript
function. Even if the user manipulates this, he can't (theoretically)
ever manipulate the database.
True. It seems you can roll without being logged in, but if you record
the client ip address wih the roll, you should still have a clue
whether someone is rerolling for a good roll.
On the other hand, if one post contains multiple rolls of the same
type, the player can still rearrange them to his needs, like using
his magic arrow for the second attack, not the first, decided after
rolling both attack rolls.
Another solution could be to add a tag, e.g.,: [dice=5d4+5]damage[/dice]
which is expanded server side into "damage (5d4+5=17)"
You can even add extra parameters to show individual die rolls, e.g.:
[dice=10d6,show]fireball[/dice] becoming
"fireball (10d6=4+2+4+6+2 +1+3+2+6+6=36)" . I still think this is a lot
simpler than using extra server calls and trying to control the user.
/L
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleD OM.html>
'Faith without judgement merely degrades the spirit divine.'
Lasse Reichstein Nielsen wrote:
True. It seems you can roll without being logged in, but if you record
the client ip address wih the roll, you should still have a clue
whether someone is rerolling for a good roll.
Actually, I just configured that test forum to allow guests to post
(and therefore roll dice). In actual use, only members of a game will
have the ability to post in it. This is yet another mod I'm working on.
On the other hand, if one post contains multiple rolls of the same
type, the player can still rearrange them to his needs, like using
his magic arrow for the second attack, not the first, decided after
rolling both attack rolls.
Not once I actually make that reason textbox work. I'll put a note to
the players saying to be specific about what the roll is for.
Another solution could be to add a tag, e.g.,: [dice=5d4+5]damage[/dice]
which is expanded server side into "damage (5d4+5=17)"
Problem with this is that it's nice to know the result of your roll
while posting, not just after. For example, if the GM tells you to roll
vs. your IQ to detect something, you can do the roll and respond with
your character's actions based on whether or not you succeeded.
Another member of the team I'm doing all this with (see http://www.ayeka.net/smf/index.php?board=89.0 for our developer's
discussion area) has made a dieroller very much like what you describe.
It's simple and it works. You can see it in action on his site: http://forum.technodragon.net/ , but you'll have to register to get
posting (and therefore rolling) access. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: MFC |
last post by:
Ok, after three C# books, (C# How to Program, Programming in the Key
of C#, and C# Weekend Crash Course) and three weeks, I believe I have
tried everything to make a certain form function correctly. I am
trying to learn C# after playing around for a bit with procedural
programming with PHP, not OOP, and believe I have learned quite a bit
in three weeks, just not enough to accomplish this one task.
If anyone has a bit of free time and...
|
by: Nemok |
last post by:
Hi,
I am trying to write an additive encryption algorithm in C++ that will
encrypt a text by adding a random numer to each character in a string.
The code looks similar to this:
for(int i=0;i<=tlength-1;i++)///tlength is the length of the string to
encrypt
{
ctext+=x+i;/////x is a random number and ctext is a char*
|
by: sweety |
last post by:
Dear All,
How to encrypt a C data file and make binary file and then have to read
a bin file at run time and decrypt the file and have to read the data.
Any help to achive this pls. Would be great if any sample source code
provided.
Thanks,
Sweety
|
by: jayender.vs |
last post by:
Well .. i have a text box .. and in that i will enter a letter say"A"
and in return there should be a message box saying the encrypted value
say "J".
In simple :
how to encrypt a letter in Javascript...???
thanks,
Jayender
|
by: Eduardo F. Sandino |
last post by:
Any one knows how to encrypt javascript code... other way than escape()
and unescape() [not is encrypt but a way to protect source code ????
| | |
by: rocknbil |
last post by:
Hello everyone! I'm new here but have been programming for the web in various languages for 15 years or so. I'm certainly no "expert" but can keep myself out of trouble (or in it?) most of the time.
This particular problem has plagued me for years; it is making me very, very, old. :-( It deals with the way Javascript's method of floating point precision takes the simplest math calculations and steals a penny - in the example below, a simple...
|
by: ChillyRoll |
last post by:
Hello guys,
I am looking for a parser in PHP that can return all the
attributes of XML entities. I know how to read the XML Entities, but I
have got a problem with reading attributes. So I will appreciate if you
could give a parser that can return all the Entities and Attributes of
respective entities as an array.
For e.g.:
<?xml version="1.0" ?>
|
by: manmit.walia |
last post by:
Hello Everyone,
Long time ago, I posted a small problem I had about converting a VB6
program to C#. Well with the help with everyone I got it converted.
But I overlooked something and don't understand why it is doing this.
Below is my code, I would be greatfull if someone can guide me through
the right path or even help me solve this issue.
Problem: The old tool which was written in VB6 works perfect. But I
needed to convert this to C#...
|
by: Max Vit |
last post by:
Here is my problem: I have an application built in Access that outputs
sensitive data to a text file.
I would like to encrypt this data *whilst* the file is being
outputted.
The encryption I was using before (very weak) was to encrypt the file
*after* the output had been completed but if for some reason the
output did halt before being completed; then the text file was able to
be read.
....and the encryption needs to be able to be...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
