The Montoya Herald, a weblog about Blueprint, jQuery, design, music and life, publishing on the web since September 2005. Written by Christian Montoya: developer, designer and entrepreneur.

The Montoya Herald — ChristianMontoya.com

Search

Things I Do

Supported By

Like What I Do?

My Amazon.com Wish List

On this domain

Elsewhere

Talking to Firebug users

Posted on May 14, 2007.

As you all might have heard, I have my first Javascript & CSS game up over at arcade.christianmontoya.com/tunnel. One of the problems with making a game using Javascript is that all the game variables are on the client side, open to the user for modifying. Firebug happens to be the easiest way to get into all that client side stuff and mess around, and if you look at the high score table on my game, you can see that people have already tried it out. With Firebug, users can live edit all the Javascript, CSS, and HTML loaded on the page, which means that if you are then submitting any of this info back to the server, they can modify that info before it is sent and basically hack around. This is definitely an issue when you want to protect important information like scores.

I've looked through the Firebug API and as far as I can tell, there's no way to prevent Firebug users from editing your data. Even if there was, anyone could write another script to accomplish the same task. From what I have gathered, the best you can do is figure out when someone has Firebug running and ask them not to mess around. Here's what I figured out: whenever Firebug is running, it has an object that you can access from your Javascript called "console." The following Javascript code tests if the console exists:

if('object' == typeof console) {}

Then, with the knowledge that Firebug is running, I can do this:

if('object' == typeof console) {
 console.warn("No cheating!");
}

It's sad to think that the best I can do to combat Firebug hackery is tell users not to cheat, but that seems to be all I can do! I don't know, however, if this slows down Firefox considerably… as it is my game already seems to run slower in Firefox which I think you can attribute to the fact that Firefox's Javascript engine is slower. Anyway, tangent aside, I hope this helps Firebug users… it makes for a nice way to embed debugging code in your scripts that will work with Firebug without causing problems to other users.

Get a trackback link

2 Trackbacks/Pingbacks

  1. Pingback: Automatic Blog Posting! » Blog Archive » Content Filtering on May 16, 2007
  2. Pingback: All in a days work… on May 17, 2007

13 Comments

  1. Elliott C. Bäck on May 14, 2007

    I cheated. I'm sorry :( ^_^

  2. Elliott C. Bäck on May 14, 2007

    But on another note I could rewrite your highscore engine so it was uncrackable ;)

  3. Teej on May 14, 2007

    You could always try hiding the score in a closure. Check out Crockford's implementation of private variables.

  4. Christian Montoya on May 14, 2007

    Elliott: If I give up soon, you can go ahead!

    Teej: Thanks so much for the link, I'm going to read it now!

  5. kramtark on May 15, 2007

    Haha… as long as you keep the score-recording PHP page the same, any changes to the Javascript are meaningless.

  6. Christian Montoya on May 15, 2007

    kramtark, I'm not exactly sure what you mean by that. The PHP page only accepts POST requests and the request to update takes a secret token, albeit not too secret. Point is you would have to go through some work to hack the PHP route. Is this what you are talking about? I should mention that using private variables in Javascript could help this side of hack-prevention too ;)

    And to all, I am going to rewrite the code with private variables soon and see what I can accomplish. Stay tuned.

  7. Inky on May 15, 2007

    Private variables sounds like a good idea. At the moment it's too easy to fool the game, even without Firebug. ("eval('tunnel_width = 999999')" makes it too easy!)

  8. Elliott C. Bäck on May 15, 2007

    Let me know when you do so I can come hack it again :D

  9. david on March 11, 2009

    hi is there any way you can get the stuff you editid with the fie bug to stay the same because i have been useing it for a couple of days but nothing i do sticks im not useing it for hacking in to sites or pesanol information but its just for like games that you can change like tribal wars

  10. Christian Montoya on March 11, 2009

    David, if the game is doing error-checking behind the scenes, then you can't make the variables stick. That's just how it is!

  11. david on March 12, 2009

    ok but it dosnt seem to stay on anything is ther realy any use for firebug atall because its not doing anything

  12. Christian Montoya on March 12, 2009

    David, there's no use for you and the things that you want to do. Unless you plan on developing web applications, just uninstall Firebug.

  13. david on March 13, 2009

    ok thanks for helping mate

Leave a comment

Use Markdown or basic HTML. For posting code, use Postable. Please keep comments respectful and on topic.