Code: Select all
if(rand(1,500) > 250)
{
print"You win.";
}
else
{
print"You lose.";
}
Security issue (50/50 game)
Security issue (50/50 game)
Hey guys, I run a small game and recently ran into a problem with one of the features. It is a 50/50 game where players basically put up a bet, and another player can choose to take that bet and it is up to a rand number to determine the winner. It seems though that a few people have found a way to cheat the code and win. From what I can see, and it makes sense, the wins are coming from the people who actually decide to take the bet. I have heard rumors of some sort of program that is capable of doing this but I can't find any information on it. It doesn't make sense to me. How can you change the outcome of a rand(1,100) for example. I know you can easily change $_GET or $_POST variables but to change the inner code itself, I'm really confused.
How could you change the outcome of that? There really isn't much else to it. I'm really confused, any help would great.
-
Jackolantern
- Posts: 10891
- Joined: Wed Jul 01, 2009 11:00 pm
Re: Security issue (50/50 game)
We would need a bit more than this to figure out a solution, because this is not enough for us to see the problem. You would also need to explain all of the mechanics. What do you mean the first player "puts up a bet", the second player can "take that bet", and it seems like the one who "takes the bet" is usually the winner? Programming is very, very specific.
The only thing that could be an issue with what you showed us is the rand() function, and that is seeded automatically for random numbers. However, if someone is gaming the random number generator (which could be possible, since it is known that PHP's rand() function is weak), you may need to look for a more complex solution for random numbers, such as using a random number generator service that uses hardware randomizers.
The only thing that could be an issue with what you showed us is the rand() function, and that is seeded automatically for random numbers. However, if someone is gaming the random number generator (which could be possible, since it is known that PHP's rand() function is weak), you may need to look for a more complex solution for random numbers, such as using a random number generator service that uses hardware randomizers.
The indelible lord of tl;dr
Re: Security issue (50/50 game)
I remember a story about nethack being run on a server, it drawing its random function from the servers time value and someone figured out how to calculate what results would come from starting a map at a certain time.
Re: Security issue (50/50 game)
Thanks for the replies, I decided to change up the code a bit & also code in better logs (logging the rand numbers generated) so I can get a better idea of what's going on.
Re: Security issue (50/50 game)
You could try to use the mt_rand() function, it's faster and with a larger limit.
Orgullo Catracho
Re: Security issue (50/50 game)
You could also just use an array and then select 1 number from the array. Or even select multiple numbers from the array and come up with an average.
-
Jackolantern
- Posts: 10891
- Joined: Wed Jul 01, 2009 11:00 pm
Re: Security issue (50/50 game)
That is probably a good idea. Whenever something seems to be "cracked" in your game and you don't get what is going on, log, log, logLiquid wrote:Thanks for the replies, I decided to change up the code a bit & also code in better logs (logging the rand numbers generated) so I can get a better idea of what's going on.
The indelible lord of tl;dr