dpa31905 2013-05-20 13:24
浏览 18

停止连接被伪造? [重复]

Well I am desiging an anti-cheat for the game combat arms. What i want to do is 'ping' the program with the database so that people cannot simply create a program that makes it seem as though they are using the anti-cheat.

Is there a way to 'encrypt' or stop other people simulating the connection easily? I am not great with PHP and this is how it adds it so far:

public function Update()
    {
        $ign = $_GET['ign'];
        $timestamp = $_GET['uid'];
        $time = time();

        if(($time - 10 < $timestamp) && ($time + 10 > $timestamp))
        {
            $this->connection();
            $data = mysql_query("SELECT * FROM users WHERE ign = '{$ign}'");
            if(mysql_num_rows($data) > 0)
            {
                mysql_query("UPDATE users SET lastonline = '{$time}' WHERE ign = '{$ign}'");
            }
            else
            {
                mysql_query("INSERT INTO users (id, ign, lastonline) VALUES ( NULL, '{$ign}', '{$time}' ) ");
            }

            echo "Connected to database";
        }
        else
        {
            echo "Problem connecting";
        }
    }

I need some sort of way to protect it/make it hard to crack quickly. And once cracked I can easily change, hope this has provided enough information!

</div>
  • 写回答

1条回答 默认 最新

  • ds34222 2013-05-20 14:00
    关注

    Firstly, it's pretty much mandatory here that you sanitize your SQL input. I recommend using a prepare with PDO (ext/mysql is going on a journey far, far away).

    $db = new PDO(<connection details>);
$prepare = $db->prepare("SELECT * FROM users WHERE ign = :ign");
// Tip: make sure you actually check the prepare worked before trying to execute.
$prepare->execute(array(":ign" => $ign));

    And so on. Read the reference manual.

    However if you are using mysql_* and refuse to change (though if you update PHP to 5.5 when it releases, you'll have E_DEPRECATED thrown), use mysql_real_escape_string and drop the quotes in the queries.

    Next, onto actually handling the requests.

    There's several ways to do this, but the most secure (and only option you should take) would be something cryptographically strong, such as a One Time Pad, or OAuth.

    Generate credentials, and make the game send a token signed with a hash that is uniquely generated, perhaps from a product code. This should be unique for every installation and should generate hashes that are able to be validated by the script.

    This is a problem that is constantly being researched by games companies, but it's often for naught; Your game can and will be reverse engineered by anyone who feels it's worthy of their time to do so. As will the Anti-Cheat.

    Nevertheless, sign a request and include:
    • The player's in-game name
    • A very accurate timestamp which can be verified in some way.
    • Request signature (Cryptographically Secure)
    • Location Data (Useful for banning speedhackers, but be careful for false positives if someone teleports, etc)
    • Anything else required by the Anti-Cheat (You will likely have a specification for this)

    Also, for the love of gaming, don't do a Punkbuster-style anti-cheat (aka don't ban on a request in a botnet-style fashion; it can be abused source )

    Finally, I'd probably recommend getting a professional security researcher in to review everything.

    评论

报告相同问题?

悬赏问题

  • ¥15 2020长安杯与连接网探
  • ¥15 关于#matlab#的问题:在模糊控制器中选出线路信息,在simulink中根据线路信息生成速度时间目标曲线(初速度为20m/s,15秒后减为0的速度时间图像)我想问线路信息是什么
  • ¥15 banner广告展示设置多少时间不怎么会消耗用户价值
  • ¥16 mybatis的代理对象无法通过@Autowired装填
  • ¥15 可见光定位matlab仿真
  • ¥15 arduino 四自由度机械臂
  • ¥15 wordpress 产品图片 GIF 没法显示
  • ¥15 求三国群英传pl国战时间的修改方法
  • ¥15 matlab代码代写,需写出详细代码,代价私
  • ¥15 ROS系统搭建请教(跨境电商用途)