I’m trying to write a php battle system for an online game I’ve been designing.
In short, it’s going to be an MMORPG, and the players’ stats will be saved across a couple of MySQL tables, as will the monster data.
In short, I’m worried about people doing something by either editing the monsters’ hp on their end, so it says they killed the monster, keeping their HP max on their computer (because wouldn’t it be unpractical to update a MySQL entry every turn?), or maybe something else.
I am still only intermediate on PHP, so not sure how I could have those values hidden from being changed by the user, yet not create a serious server congestion by updating the MySQL table every time there’s an attack.
Could someone please tell me 1 or more of the following:
-
Is there a way in PHP alone to hide these active variables from being edited to allow cheating?
-
If not, or if it’s not very server-friendly, is there a relatively simple applet in Java, or app for controlling host variables that could be programmed on a relatively simple manner?
Right now, monsters are only going to have regular attacks, and players will only have attacks, though I plan on expanding the players’ skill attacks first.
You should never be trusting what the browser gives the to the server. The browser can make all the requests it wants (say, move 5000ft forward), but if the server looks at the request and says “Woah, you can’t do that! The maximum speed is 2ft/second”! Then you just reject the “request to move”, or you ignore it, your choice depending on implementation.
For example, the Client (be it a browser or an application on the desktop) can store all the data it wants. It can store the HP and resources. The server also has its own copy of these. If someone were to use some memory altering tool (such as Cheat Engine), all they can do it modify the client’s data (say, instead of 100 dollars to 1,000,000 dollars). But this won’t mean anything because if the client makes a request to purchase a 50,000 dollar item, the server will validate the request. It looks at the money on the server, not the client, and notices that the user has insufficient funds. Just tell the user “not enough money”, and npo transaction is made.
If the client is going to try and mess with the client’s internal memory, I would not worry about the client no longer functioning correctly. Just make sure that the server approves all requests for game state modifications and everything will be fine.
If you want to avoid spamming the network and also keep movement of the user valid, the client can make the assumption that the server will approve the request. So you can allow the user to move a certain distance and either send a single request after several seconds, or you can send several requests and show the character moving while you wait for the server to approve the requests. This brings up a new issue of de-syncing with the server for the client if you make several requests and the server takes a while to respond.
In general, you will have to send a lot of requests, and you will have to send requests every time the user does something because you will want other users to see what you are doing, too. There is no way to get around this, but you can use clever compression and delay tactics to allow the client to operate more smoothly.
If you want to avoid hitting your SQL servers all the time, you can use caching tools such as Memcache, which conveniently is very excellently supported by PHP. Memcache can store whatever you need in memory for very fast data storage. Of course, this has caveats as you will need to sync your cache with your database, and vice-versa.