My online hiscore system consists of a server side php script and a webbrowser component inside the app.

What it does is call the script with an action variable set for either viewing or submitting the hiscore with the script returning either the list of hiscores or the position received accordingly in plain text.

Then it's just a matter of parsing the data and displaying it inside the app.

What I'm wondering though, is are there any problems doing online hiscores and how have you implemented them in your own games?

I know of some that use a realtime dedicated server that the app connects too but I'm wondering what advantages/differences there are to an http + script method?

My concern would be cheating. Kind of ruins the online high score thing for everybody else. I've sometimes wondered what to do about that.

I think simply encrypting (XOR'ing or whatever) the data before it is sent is sufficient to stop all but the most persistant person

That works for keeping people from uploading new high scores directly, but what if someone makes a trainer app for your game whcih alters the rules in the player's favor? Then they go rack up some really high scores and the game uploads them, no bothering with encryption or protocol required. I've seen this happen to almost every online hi score table I've known about.

And usually trainers are a cinche to make.

I do think online high scores are cool, and I wish there was a secure way to do them, but heck even flash games get hacked all the time to make it possible to put in extremely high scores. Since even a couple bad scores spoil the fun for everyone, I think the only real solution (or situation where they can be used) is in games like Quake or Unreal Tournament, where almost all the rules of the game are controlled by a server. At that point the user would be forced to use a client-side aiming bot or something, which is considerably more difficult to make and use, and isn't applicable to all game types.

- Air

I intend to use one for an upcoming game. I figure I'll just have to manually edit it if I see an impossibly high score, after notifying the poster of course.

I posted my method before but cant seem to find it (must've been lost).

In Miko & Molly, I take a few measures to protect the high scores being uploaded. The first is to do some checksumming on the data sent to the server. If this doesn't match, I know right off the data is bad/hacked and reject it. If the checksumming all looks OK, then I also transmit a game log. The game log contains a record of everything that took place in the game. You could think of this along the lines of a demo recording. If I ever suspect a score is hacked, I can always play back the recording. If the user walks through a tree or something, I've got my answer and can remove the score.

If you want to be really fair (as I do), another thing to consider is to keep a log of all high scores you accept (not just the current top 10). If you find someone cheated, remove that score and pick the 10 highest of the remaining scores. This way if someone has a really good game and gets a superb #1 score that nobody can repeat (not even themself), then some hacker comes along and fills the board, you don't end up with the ill will of customers whose scores are forever lost.

Similarly to LordK I record a whole huge load of stats about every game, even down to the number of frame ticks, and keep every hiscore submitted to me for statistical analysis. When I've got a couple of thousand hiscores it should be easy to determine statistically if there are any stats outside of, say, 2 standard deviations from the mean, or way out of correlation, and flag them as suspicious. Further dodgy scores from the same regcode I will then block after an exchange of emails :D

Cas :)

Another way of keeping the high score table clean is to incorperate invisible trip-wires in your program. e.g. keep an xor'ed version of the score/lives/level somewhere and set a cheater flag if it ever becomes desynchronised. Don't tell the player if they are caught using (or attempting to write) a trainer, but send the flag back to the server so that the player can be blacklisted (!).

Or:

if (cheater)
*(int*)1=0;

LordKronos, there is no replacement for being able to verify the score by watching a reply of the game, though. Must be fascinating to see the players' behaviour too. Do you watch many games if there is nothing on telly? :)

J

LordKronos and Princec -

Do you tell the player first that you're going to upload a log of their game?

I don't upload a log - just their score and statistics. Most of which appear on the hiscore table.

Cas :)

Originally posted by Siebharinn
Do you tell the player first that you're going to upload a log of their game?
No I don't say that. High scores are not uploaded automatically, only when the user chooses to explicitly upload their scores. I consider the log to be part of the score.

Speaking of logging...

We've been playing a lot of Candy Crisis here lately - cursing it all the while, but still playing. One of the lovely little features it has is that it stores your best chain reaction and shows it along with the high score list - which is a much cooler thing to jog your partner to see ("Look! I triggered SIX of them!") then just a big number.