# Online highscores

This topic is 2946 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

## Recommended Posts

For the racing game Proun that I am working on, I would like to store the best track times online and show those in the game. So basically I want online highscores/leaderboards. So my question is: what is the easiest/fastest/safest way to implement this? I am hoping there is some free library than can handle this, since it seems a waste of time to implement this myself with sockets and a database and such, while this functionality is not really game specific. So, is there some library that can handle this? Maybe even an online service so that I don't have to run my own server for this? I usually do console programming and at least on some consoles these things are provided securely by the console manufacturers, but I don't know if anything like that exists on PC. If such a library does not exist, then is there some modifiable example code somewhere that does these things? Also, how difficult is it to get a reasonable sense of security here? I don't expect to beat of any really good hackers, but I guess some sense of security for the highscores should be achievable? I looked through the websites of the networking libraries list in the FAQ, but none of them seem to be both free and supply this specific feature. Thanks in advance! :)

##### Share on other sites
There is Gamespy, but it's expensive and for pros with decent pockets, since they handle the servers and everything. There used to be Demonware (much better than Gamespy!) but they are now part of Activision's internal logistics.

There is also Valve Steamworks, but I don't know how accessible they are for the indie. They say free but I doubt it if you require leaderboard management and server support (do they even do leaderboards and stats?).

For XBox, there is XBox-Live and Games For Windows-Live of course, again you need to be a registered developer with Microsoft and so on.

I'm not really aware of alternative libraries and back-end services support for small developpers otherwise.

##### Share on other sites
Well, I don't have any budget, so Gamespy seems to be out of the question then. I did contact them, though, to see how their licensing works and what things would cost.

Since my game Proun is going to be released for free, I don't think Steamworks is an option either. Steamworks is for free and usuable even for game-versions that are sold outside Steam, but I doubt it is useable for games that are not sold on Steam at all. Also, I don't see any options for highscores in their feature overview.

If I can get access to a server somewhere myself, is there some library that lets me handle this whole thing easily and securely? That would mean both a server app that stores the highscores and a client lib that I can call from C++ to communicate with that server. Is there a lib that does that? Or rather complete example code that I can copy and use?

##### Share on other sites
It's very hard to implement a high score board that's difficult to hack. If your game develops any kind of interest, someone will probably try to hack it. A score board is apparently like candy to hackers.

There are two main ways a hacker will typically try to hack the high score. If you can defeat both of them, most hackers will give up at that point.

The first is to intercept a high score submission and modify it on the way to the server. Whether you use raw sockets or something higher level like http, the user will be able to examine traffic from the client to the server. If he sees something like "highscore=9355", he'll try to modify it.

The second is to change the score in memory. Here the hacker ignores the traffic to the server and tries to change what the game thinks its own state is. The hacker fires up a tool that allows him to examine and modify his system's memory. He looks for something that's likely to be the address of the variable he cares about, then edits the value there.

Good luck!

Is there any reason you couldn't sell the game for $5 on Steam, and also give it away for free, if "being sold on Steam" is a requirement to use Steamworks? #### Share this post ##### Link to post ##### Share on other sites why not store the highscores in a mysql database then have php or ASP gather the highscore an put them onto a website? #### Share this post ##### Link to post ##### Share on other sites Quote:  Original post by ARC incwhy not store the highscores in a mysql database then have php or ASP gather the highscore an put them onto a website? Exactly! You can even make it a bit easier and output the score to php, have php verify the score and write it to the database, then have PHP display it. This was my easiest solution and yes it can still be hacked, but the hacker will be a registered user and easy to identify, hehehe. #### Share this post ##### Link to post ##### Share on other sites Awhile back, there was a user on this site who had a little service doing high score hosting. I dug up the link, but it looks like it's no longer alive. I think it was essentially what Xyle and ARC inc described. #### Share this post ##### Link to post ##### Share on other sites I expected php+SQL was going to be the easiest way if I had to do this myself, but I would still have to write the PHP scripts, message sending and security for that. I was hoping there would be some library or example code that would do all that and that I can simply plug-in, since this is such generic code. Especially because of the security thing. Quote:  Original post by hplus0603Is there any reason you couldn't sell the game for$5 on Steam, and also give it away for free, if "being sold on Steam" is a requirement to use Steamworks?

I don't know how far their system can be stretched, but as far as I know, Steamworks does not support highscore lists, so it wouldn't help anyway.

##### Share on other sites
An easy way to 'secure' high score submissions is to ship with a replay of the game with each highscore submission, obviously this only works if your game already has some way of storing replays. This way, if you suspect someone has cheated you can just check out the replay for that highscore.

##### Share on other sites
Hi,

I'd like to add that I found a way to secure the outgoing URL to the php script:
I am creating a game with libcurl that simply opens a HTTP file with parameters.

For instance: http://www.example.com/highscores.php?score=9283

The hacker can of course edit this. I've added an md5 hash which
takes the score together with a predefined password.

md5(9283 + "dkalelx")

Now you simply add it to the output of the highscores.php and check it with PHP if it's correct.

The other way which the hacker may try: to memory hack the values of your score.

One way to possibly circumvent:

e.g. m_Score

You have to give the score an offset value.

say #define SCORE_OFFSET 5743

and now, when you require the score in your code use a private function

int GetScore() { return m_Score+SCORE_OFFSET; }
void SetScore( int score ) { m_Score = score-SCORE_OFFSET; }

The advantage of this is that you can no longer memory scan for the original score value.

Hope that helps,
Nick

##### Share on other sites
The only thing I was going to add was to maybe return the scores in XML form so you can dump them wherever you want.

##### Share on other sites
I would personally use a MySQL database and the C/C++ includes and libraries that come with MySQL. This way you can have your applicaton write to the high score table and still be able to use normal SQL commands within your app.

##### Share on other sites
Alternatively there are services out there which handle all the back end stuff and provide libraries to access the server. I'd heard of AGON already, but a quick search revealed this summary of a few

##### Share on other sites
Quote:
 Original post by lonewolffI would personally use a MySQL database and the C/C++ includes and libraries that come with MySQL. This way you can have your applicaton write to the high score table and still be able to use normal SQL commands within your app.

Unless I'm misunderstanding your suggestion, letting the client connect directly to the database seems like a terrible idea.

##### Share on other sites
If you let the client issue commands to the DB, someone could connect and issue "drop table highscores" or even better, "insert into highscores(name) values('".uuencode(read_big_file_of_porn())."')". It's practically an open invitation for abuse.

If you use a database, there has to be an application server (such as Apache/PHP) between the clients and the database. Ideally, the firewalls on the database box make it so that only the Apache box can get to the database at all.

##### Share on other sites
Quote:
 Original post by NoggsAlternatively there are services out there which handle all the back end stuff and provide libraries to access the server. I'd heard of AGON already, but a quick search revealed this summary of a few

Those are only for iPhone, and the original request was for a PC library/service.

##### Share on other sites
What about creating and consuming a web service over https? Let the web service handle saving to the database. There should be some kind of c++ library that allows you to communicate with a web service.