Raise of security problem
There are a security issue in our game, raising from our developing tools and game genre.
Even we can hide some functions in PHP files, users still can see how we call this PHP files and do the same thing in browser console.
Our game is a online game, which need to connect with server to require user data and change server data according to players' action. Nearly all online games have experience that attacked by illegal network connection, since there are always some bad players want to get profit from stealing virtual economics in game. The server has to take some strategies to protect its data.
How to protect server data
We discussed several times about security problem, and got some ideas about it. Cause none of our teammate have enough experience about this problem, probably they are not good solutions. We just write them down our idea here.
Hold data in server
If data is saved in client program, that's too easy to be changed by players. Server cannot know if the data are correct, if the user action are legal. This give hackers too much space to act.
In order to ensure user actions are legal, the server program has to have self-validation steps. Every time client program send a request, the server need to validate this action. If it is legal and make sense, then take the real action; otherwise the server need to think about if this is hacking behavior.
If server hold all data, it will be a big challenge to the network transmission and machine performance. Since our game is a real-time game, need to sync data every frame, this is a very rigorous requirement.
One solution for this sync problem is, run two games at the same time on both server and client sides. Client program send user input to server to take the same update. These two games will sync in a predefined time interval. If server find client game data are far different, it is probably changed by user.
Limit interfaces on client side
A better ways to protect server data, is limiting interface exposed to client program. We can simple send user input to server, and let server run all game logic and judge if we can kill enemies, add golds/crowns, use bombs, etc. Of course, this have to build based on server holding game data.