OK, I am creating a game using JavaScript and HTML5. The variables such as map, x, y, level, exp, etc are stored in JavaScript to keep track. On my client page, the JavaScript variables are stored to play along with the game. Every 5 seconds, the client page sends a POST AJAX call to the MySQL database and it successfully updates it.
However a user can easily modify the JavaScript variables and cheat their way in the game. Then once they edit the JavaScript variables, the POST grabs that and updates it even though they edited it unethically.
So, how do I prevent this from happening?
Unfortunately, there is no way to prevent client-side code from being manipulated by a malevolent party. However, in many cases, there are certain behaviors that could potentially signal possible abuse.
For instance, if the maximum amount of hit points I can regain via a healing potion is 100 points, and a user suddenly increases by 1000, then you know there was abuse. Your strategy should involve putting checks in your code as validation to ensure that the data returned to your application makes sense.
This concept is a lot like what a business application developer might do to make sure that data entered in a web form is validated. If there are certain values that are illegal or that shouldn’t be submitted, the server responds with an error message and instructions on what fields need to be filled out.
In your case, it may still be possible for someone to “game the system” at levels below certain thresholds. Start small, and as you analyze the data, you’ll find more areas where you can implement this type of validation of your data.