The Montoya Herald — ChristianMontoya.com
As you all might have heard, I have my first Javascript & CSS game up over at arcade.christianmontoya.com/tunnel. One of the problems with making a game using Javascript is that all the game variables are on the client side, open to the user for modifying. Firebug happens to be the easiest way to get into all that client side stuff and mess around, and if you look at the high score table on my game, you can see that people have already tried it out. With Firebug, users can live edit all the Javascript, CSS, and HTML loaded on the page, which means that if you are then submitting any of this info back to the server, they can modify that info before it is sent and basically hack around. This is definitely an issue when you want to protect important information like scores.
I've looked through the Firebug API and as far as I can tell, there's no way to prevent Firebug users from editing your data. Even if there was, anyone could write another script to accomplish the same task. From what I have gathered, the best you can do is figure out when someone has Firebug running and ask them not to mess around. Here's what I figured out: whenever Firebug is running, it has an object that you can access from your Javascript called "console." The following Javascript code tests if the console exists:
if('object' == typeof console) {}
Then, with the knowledge that Firebug is running, I can do this:
if('object' == typeof console) {
console.warn("No cheating!");
}
It's sad to think that the best I can do to combat Firebug hackery is tell users not to cheat, but that seems to be all I can do! I don't know, however, if this slows down Firefox considerably… as it is my game already seems to run slower in Firefox which I think you can attribute to the fact that Firefox's Javascript engine is slower. Anyway, tangent aside, I hope this helps Firebug users… it makes for a nice way to embed debugging code in your scripts that will work with Firebug without causing problems to other users.
I cheated. I'm sorry
^_^
But on another note I could rewrite your highscore engine so it was uncrackable
You could always try hiding the score in a closure. Check out Crockford's implementation of private variables.
Elliott: If I give up soon, you can go ahead!
Teej: Thanks so much for the link, I'm going to read it now!
Haha… as long as you keep the score-recording PHP page the same, any changes to the Javascript are meaningless.
kramtark, I'm not exactly sure what you mean by that. The PHP page only accepts POST requests and the request to update takes a secret token, albeit not too secret. Point is you would have to go through some work to hack the PHP route. Is this what you are talking about? I should mention that using private variables in Javascript could help this side of hack-prevention too
And to all, I am going to rewrite the code with private variables soon and see what I can accomplish. Stay tuned.
Private variables sounds like a good idea. At the moment it's too easy to fool the game, even without Firebug. ("eval('tunnel_width = 999999')" makes it too easy!)
Let me know when you do so I can come hack it again
hi is there any way you can get the stuff you editid with the fie bug to stay the same because i have been useing it for a couple of days but nothing i do sticks im not useing it for hacking in to sites or pesanol information but its just for like games that you can change like tribal wars
David, if the game is doing error-checking behind the scenes, then you can't make the variables stick. That's just how it is!
ok but it dosnt seem to stay on anything is ther realy any use for firebug atall because its not doing anything
David, there's no use for you and the things that you want to do. Unless you plan on developing web applications, just uninstall Firebug.
ok thanks for helping mate