I’m working on a shooter game which uses PUN so is p2p atm.
The game will have a database to save the player data like points/gear and what not, but if one of the players is the master client, this mean cheating is possible.
So if some player gets experience for a kill which gets saved in the database f.e. how exactly do I make it secure so that a player can’t just run the database code multiple times to farm XP?
You really can’t. The closest you can get is having a central server under your control that handles all assignments of experience and gear, which authenticates any data sent from clients and looks for impossible or unusual behavior.
Authentication and cheat detecting.
First off, make sure that you can’t simply sniff a request out in Fiddler and resend it over and over again. You can use session cookies and timers parameters for this.
Then server-side you should have your own cheat detection systems. Common checks are for sudden fast movement around a map. If a player is teleporting around, they are most likely cheating. You can also monitor what types of objects they get and make sure that they’re not getting end-of-game weapons in the first level by hacking the commands. The best thing to do would be to have your anti-cheating mechanism send you an alert to manually check out what’s going on, especially if it’s a single player game where someone may be doing something strange but not cheating (like speedrunning.)