Handling player travel

[OldRod]

Looking for some input/recommendations on something - for those that are not aware, I'm working on a text-based browser RPG.

I have a table that contains 3 fields for each record: currentloc, direction, newloc. Let's say you are a location 1. There would be a record with these values in it: '1', 'North', '2', meaning your currentloc is 1, going north takes you to newloc 2.

When you are at location 1, I display a description of the area and then create/display a link that says "Go North" and the href is to a file called travel.php. In the case of the above example, in the link I'm passing parameters ol=1&nl=2.

In travel.php, I check the travel table again to make sure that you can actually go from ol (old loc) to nl (new loc) to prevent anyone trying to cheat by changing the URL and if it's allowable, I move the player there and send them back to the main page, which then updates to show descriptions of the new location.

This system is in place in my game and working fine.

Here's what's bothering me though: A smart player could keep track of what locations attach to each other and if they were careful, they could change the link to a valid link, but one that is halfway across the world from where they started.

Is there another way to handle this that could prevent such cheats?

[hallsofvallhalla]

yes, ajax and javascript.

Sadly I can't explain it all here but if you can hold off for a week or two they will be in the tutorials.

Basically it passes no variables in the url. It is done when the player clicks to travel by a separate server connection. The player never even knows what happens.


As long as you check that the travel is possible on the new page I don't see anyone being able to cheat.

[OldRod]

Ah, cool - I haven't dabbled much in Javascript and not at all in Ajax, so that'll be a learning experience I'm sure

[hallsofvallhalla]

its really not bad at all. I use little of both in my games. Just enough to add that extra touch.

[twgi]

Looking for some input/recommendations on something - for those that are not aware, I'm working on a text-based browser RPG.

I have a table that contains 3 fields for each record: currentloc, direction, newloc. Let's say you are a location 1. There would be a record with these values in it: '1', 'North', '2', meaning your currentloc is 1, going north takes you to newloc 2.

When you are at location 1, I display a description of the area and then create/display a link that says "Go North" and the href is to a file called travel.php. In the case of the above example, in the link I'm passing parameters ol=1&nl=2.

In travel.php, I check the travel table again to make sure that you can actually go from ol (old loc) to nl (new loc) to prevent anyone trying to cheat by changing the URL and if it's allowable, I move the player there and send them back to the main page, which then updates to show descriptions of the new location.

This system is in place in my game and working fine.

Here's what's bothering me though: A smart player could keep track of what locations attach to each other and if they were careful, they could change the link to a valid link, but one that is halfway across the world from where they started.

Is there another way to handle this that could prevent such cheats?

Generally you should always verify input at server side to prevent URL Manipulation.

You should not put in the request the location ids, but only the direction, ex: travel.php?dir=n then check at server side in which location the player is and if it's allowed to go north.

For example if the player location is 1 you can easily check for the existence of a row that has direction=north and old_location=1.

[OldRod]

Oh, that's not a bad idea - I've made the player current location variable accessible from multiple pages anyway, so that should be a simple thing to implement. Such an obvious solution /facepalm

Thanks twgi!

[twgi]

Player location id should be stored in the database in the user table, and preferrably stored/refreshed in the session for performance reasons.
It's easier to retrieve.

As a general rule I wouldn't let the users know locations identifier,i would retrieve them by myself