开发者

Secure web language for an online mini-game?

I've seen quite a few smaller online games created in Javascript (Blackjack, etc). While some of them are pretty neat, they don't seem secure as Javascript is ren开发者_StackOverflow中文版dered client-side. In looking at some games I'd like to create, and thinking long-term with pay-to-play/user accounts, I'm thinking I'll need something more secure where certain game logic is hidden from the end user.

Any recommendations for web languages/technologies that would satisfy this? Open source/free is preferable. Is Flash the best option here (not open source)? I currently have the most experience in standard HTML/CSS/Javascript and PHP.

Just looking for ideas.

Thanks!


When dealing with security, you always have to define what secure is. If you are running a gambling website, your local gaming commission may have some say in this. If you are just running a multiplayer game for fun, then you can be more loose with your definition (assuming occasional cheating won't ruin the day).

In general if you want to completely prevent the end user from being able to interfere with gameplay, all the real work has to be on a server you control. This means PHP, ruby, perl, python, Java etc... With a flash, javascript, or html5 frontend that you have to assume can produce untrustworthy data, even if it is perfectly crafted.

To minimize the effect of a malicious player sending specially crafted bogus data to the server you should use a server side language that handles the buffer size/bounds checking and the cleaning of input parameters for you. I use PHP a great deal it handles bounds checking automatically, like most scripting languages. PHP doesn't automatically clean data that was inputted on the client side, but has good string manipulation tools so I can do it myself. Be careful to handle apostrophes, html tags, and javascript that a user might input to prevent Sql injection ( http://en.wikipedia.org/wiki/SQL_injection ) and Cross Sight scripting attacks ( http://en.wikipedia.org/wiki/Cross-site_scripting ). Converting all ',< ,> to characters codes is a good start, but you should thoroughly research the topic. To help with cross site scripting attacks you should ignore requests that come from other domain names, unless you have a secial need to do otherwise.

As for all programming issues, think it through carefully and test as much as possible with as much varied data as possible.


Your best option here would be to keep the processing you need secured on the server side, and validate anything coming to you from the client.

Whether your frontend is javascript, Flash, or anything else - when it tells the backend "the player just flipped over a card and got blackjack", you need to be able to confirm on the server that the player can flip over a card and get blackjack right now.

As far as technologies go, use what you know - PHP will be fine, you just have to make sure you're doing those checks on user input.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜