A Single Article
Read it, comment, and share it with your friendsTalking to Firebug users
As you all might have heard, I have my first Javascript & CSS game up over at arcade.christianmontoya.com/tunnel. One of the problems with making a game using Javascript is that all the game variables are on the client side, open to the user for modifying. Firebug happens to be the easiest way to get into all that client side stuff and mess around, and if you look at the high score table on my game, you can see that people have already tried it out. With Firebug, users can live edit all the Javascript, CSS, and HTML loaded on the page, which means that if you are then submitting any of this info back to the server, they can modify that info before it is sent and basically hack around. This is definitely an issue when you want to protect important information like scores.
I’ve looked through the Firebug API and as far as I can tell, there’s no way to prevent Firebug users from editing your data. Even if there was, anyone could write another script to accomplish the same task. From what I have gathered, the best you can do is figure out when someone has Firebug running and ask them not to mess around. Here’s what I figured out: whenever Firebug is running, it has an object that you can access from your Javascript called “console.” The following Javascript code tests if the console exists:
if('object' == typeof console) {}Then, with the knowledge that Firebug is running, I can do this:
if('object' == typeof console) {
console.warn("No cheating!");
}It’s sad to think that the best I can do to combat Firebug hackery is tell users not to cheat, but that seems to be all I can do! I don’t know, however, if this slows down Firefox considerably… as it is my game already seems to run slower in Firefox which I think you can attribute to the fact that Firefox’s Javascript engine is slower. Anyway, tangent aside, I hope this helps Firebug users… it makes for a nice way to embed debugging code in your scripts that will work with Firebug without causing problems to other users.
Get a Trackback link
2 Trackbacks/Pingbacks
Other blogs referencing this article8 Comments
Responses to my articleI cheated. I’m sorry
^_^
But on another note I could rewrite your highscore engine so it was uncrackable
You could always try hiding the score in a closure. Check out Crockford’s implementation of private variables.
Elliott: If I give up soon, you can go ahead!
Teej: Thanks so much for the link, I’m going to read it now!
Haha… as long as you keep the score-recording PHP page the same, any changes to the Javascript are meaningless.
kramtark, I’m not exactly sure what you mean by that. The PHP page only accepts POST requests and the request to update takes a secret token, albeit not too secret. Point is you would have to go through some work to hack the PHP route. Is this what you are talking about? I should mention that using private variables in Javascript could help this side of hack-prevention too
And to all, I am going to rewrite the code with private variables soon and see what I can accomplish. Stay tuned.
Private variables sounds like a good idea. At the moment it’s too easy to fool the game, even without Firebug. (”eval(’tunnel_width = 999999′)” makes it too easy!)
Let me know when you do so I can come hack it again
Leave a comment
Share your thoughts with the worldYou can use Markdown, or you can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>Please keep comments respectful and on topic.
This form is guarded by Akismet, so don't waste your time trying to submit spam. It won't work. Ever.