So, I was wanting to get a discussion started about the best way to implement a leaderboard using Unity iPhone, as well as techniques being used to A) control profanity, and B) secure the board from unauthorized “entries”.
So first off, I read someone say that the WWW class is what you’d want to use to do a leaderboard. From what I can tell, that is supported in iPhone Basic, correct? If so, that part would appear to be pretty straight-forward.
As for profanity and security, I’m very much interested to hear the thoughts of others here.
Both profanity and security are going to be things that you implement on the server. For security, the best general advice I can give is for you to plan on treating every input as if it is an attempt to cheat or compromise the system somehow. So, don’t trust the client. Details of how to handle it are going to depend on your implementation, but that would be my very general advice.
For profanity, the easiest way to go would be to to keep a blacklist of filtered words. You can filter them on the client (for immediate feedback) and again on the server (since you don’t trust the client).
The method I used for Bubble Bang and usually all other stuff where I send data from the client to the server is by using a MD5 hashed token + value method. It works like that:
Let’s say we want to use the score of the player plus the level he reached and transmit this safely to the server, make it kind of semi proof to be altered. The trick is to use a secret token that is only known to the client and to the server and could be found only if you view the game data file in a hex editor. To make this even harder, we use a token that consists only out of numbers and not characters as numbers are much harder to spot in the hex editor than a string.
So we put the level and the score into a string + a token and make a MD5 hash out of it, like this:
var score : int = 23874;
var level : int = 16;
var hash : String = Md5.Md5Sum("" + score + level + "92837897324873");
var highscore_url : String = "http://www.webserver.com/add_score.php";
var form = new WWWForm();
form.AddField("level", level);
form.AddField("score", score);
form.AddField("hash", hash);
var download = new WWW(highscore_url, form);
yield download;
...
And we transmit the hash + the level and score as cleartext variables too to the server. Now, when the server receives this data, the server side code just does the same as the client, it uses the transmitted cleartext score and level + the token that is also known to the server, but never got transmitted to the server in the http form and assembles again the MD5 hash. If now the MD5 hash that just got computed and the MD5 hash that was also sent as parameter are equal we know at least that the data we received was not altered. We can safely store the level and score in the database.
This is a basic token/MD5 way of making sure the data gets safely transmitted. To hack this you would need access to the binary to be able to find out the secret token and even if you got it, you would need to know in which order the data got assembled and MD5 hashed to be able to send faked highscore data to the server. So or my usage I found this safe enough. If that gets hacked I thought this guy then really deserves it to put in any score he wants…
Things to consider:
Make sure you test the MD5 hashes first that the server produces and that the client produces. Not all MD5 implementations produce the same output. The MD5 below (from the wiki I think) works perfectly with my PHP 5 code on my LAMP server.
Be careful with hashing names. Due to different input language settings the server might not be able to produce the same hash if the client uses some weird characters encoding or such ugly things. When working with the iPhone this is usually no problem as it sends in UTF 8, but make sure your server also translates the string into UTF 8 as most LAMP servers I know use per default ISO 8859-1 character encodings. Anyways, just something to watch out for!
MD5.cs
import System;
import System.Text;
import System.Security.Cryptography;
static function Md5Sum(strToEncrypt)
{
var encoding = UTF8Encoding();
var bytes = encoding.GetBytes(strToEncrypt);
// encrypt bytes
var md5 = MD5CryptoServiceProvider();
var hashBytes = md5.ComputeHash(bytes);
// Convert the encrypted bytes back to a string (base 16)
var hashString = "";
for (var i = 0; i < hashBytes.Length; i++)
{
hashString += Convert.ToString(hashBytes[i], 16).PadLeft(2, "0"[0]);
}
return hashString.PadLeft(32, "0"[0]);
}
Thanks for sharing, Martin! This looks like a wealth of info. I could only skim it since I’m on my way to see in-laws for Christmas, but I’ll give this a thorough look in the next couple of days. Thanks again and I look forward to hopefully being able to add constructively to this exchange.
Hey Martin in add_score.php did you have something like this? I’m also trying to use WWWform but I can’t figure out why my script here isn’t inserting the data to my database.
<?php
mysql_connect('localhost', 'user', 'password') or die('Could not connect: ' . mysql_error());
mysql_select_db('database') or die('Could not select database');
mysql_query("INSERT INTO scores (id, name, score) VALUES (NULL, '$name', '$score')") or die(mysql_error());
?>
Hey,
Just wondering, are there any more convenient solutions available by now rather than having to do the coding from scratch?
Isn’t there any leaderboard mechanism that is provided by apple that one could use to implement leaderboards more easily?
Wow! That looks very complex. My main question is how the PHP and MySQL server would be programmed, and how the Unity script would access the php file, and what way a user on a computer could simulate this.