For our games Betty's Beer Bar and FaceIt there are online high score tables ( http://www.mrio-software.com/bbb_highscore.php and http://www.mrio-software.com/fi_highscore.php )

Originally, the "table" had no "primary key" - I just kept the top 10 scores. The problem is that the tables quickly become filled by the repeated posts of the top players, ie all the 10 entries belonged to the top 2 players.

I made the PK the name, so if you post a score with a name already on the table, it either moves your name up in the list (if you scored better) or informs you that you have a higher score already. This meant more unique users in the tables => less frustrated players => more sales.

Unfortunately, someone finally figured this out, and started posting with names such as MYNAME0, MYNAME1, MYNAME2...

The obvious solution would be to post a unique ID randomly generated at installation time and use that as PK, not the name. But it leads me to another problem - if two or more players use the game in the same computer (ie brothers), even if they change the name from post to post, one post will overwrite the other guys post, because they used the same unique ID (that of the installation).

So what to do? Impose that restriction, making the game less enjoyable to family members? Allow multiple name posting, but "police" the list to manually identify and remove those posts?

If you can match their IP address with their contact information, send them a polite email informing them that they are being disruptive to the other players and ask them to stop.

If they don't stop, then ban that IP from posting to the high scores.

Or, whenever you see something funky going on with names, make those names unavailable in the database to players.

I hate it when people feel the need to be buttheads.

Anthony

Online highscores are nothing but trouble, I tell ya! Wait until they start hacking you with false highscores, then you have some serious problems. Where do you draw the line between what you categorize as fake scores (too damn high) and normal scores (probably attainable)? I'm surprised you're not having these problems already. Every time I've tried online highscores some punk has hacked the stuff. Admittedly I never used any smart security measures, just some simplish checksums/whatever. I'm curious, what techniques are you using that have withstood hacking?

I had one obvious hack (inhumanly high numbers) and an unknown number of non-obvious hacks :)

I'm not doing anything really special. Actually, I implemented an encoding scheme as a temporary hack before doing it right (ie asymetric cryptography) but I had no need to replace it after all.

Nothing special. Just a non-trivial encoding of somewhat redundant data. A little thought and string escaping on the server side to avoid code injection. Nothing else.

In the end, I think the best way of not getting hacked is being little known :) OK, we're about to reach 50000 highscore posts but I think that's a little figure in the big scheme of things.

I think once you start offering prizes for your high-scores, then the chances of being hacked increase expontentially.

Anyway, I'm interested in what conclusion you guys come up with. I've been toying with the idea of Internet hi-scores, but I'm wondering if it's really worth the trouble. It adds value to your product, but it can easily be corrupted. Either by hackers or just shady players.

We allow each name to appear on a list 5 times, after that the lowest scores are thrown away. Also had to implement a swear word filter. Hackers always happen so got a couple automatic mechanisms, any scores highly out of average are automatically deleted and scores drop off the list after 6 months giving hackers limited exposure plus new users a chance. Also url submissions are hidden or encypted as appropriate, kind of perplexing how hackers get by on encrypted ones.

Gabriel, to avoid the problem with more users playing one game, I'd probably use player profiles. Let each player create his/her own profile and ask for a nick that will be used when uploading to the high scores table. To avoid lots of Johns and Grandmas in the table, I'd use separate profile names and internet nicks. Like this:

Profile name: John
Internet nick: grandmas_little_boy
Upload score: yes/no