How do I prevent data manipulation (e.g. Highscore)

Hey gamedevs!

I'm a little bit confused regarding security, encryption, hashing and stuff

We at 25games wanna create games where the player can submit a highscore to our database via AJAX requests.

We already use hashing to make sure that the attacker can't simply perform a submit.php - POST

But how to prevent the attacker from changing the game's state during play?

• Let's say the attacker starts a new game: Score = 0
• Then he plays a little bit and earns some points: Score = 200, Score = 400, Score = 600
• While he is playing he observes the values of the game and compares which one has changed from 0 to 200 to 400 to 600.
• Now when he found the candidate he could easily change the score to 1.000.000 (or can't he do this?)
• Lastly he dies and the score of 1.000.000 is transmitted to our database

What can I do to prevent attackers from manipulating the local state of the game?

Thanks for your answers and have a beautiful day

You can keep your score hashed at all times. Check if the hash is correct before adding points or submitting the score.

Or keep track of the score in 2 different variables - one in clear form and another in some encrypted/obscure format. (Multiplied by 3.14, converted to text, written backwards etc.)

Display the clear variable in your game and don't check its integrity, allow the hacker to change it. But when it's time to submit the highscore, de-crypt the other variable and upload it.

Unfortunately, there is no 100% protection from an experienced and determined hacker, all these tricks will only make his job a little bit harder.

You can keep your score hashed at all times. Check if the hash is correct before adding points or submitting the score.

Oh yes! Good point, I'll try that.

Thanks