Page 1 of 1
Security issue (50/50 game)
Posted: Fri Feb 17, 2012 9:56 pm
by Liquid
Hey guys, I run a small game and recently ran into a problem with one of the features. It is a 50/50 game where players basically put up a bet, and another player can choose to take that bet and it is up to a rand number to determine the winner. It seems though that a few people have found a way to cheat the code and win. From what I can see, and it makes sense, the wins are coming from the people who actually decide to take the bet. I have heard rumors of some sort of program that is capable of doing this but I can't find any information on it. It doesn't make sense to me. How can you change the outcome of a rand(1,100) for example. I know you can easily change $_GET or $_POST variables but to change the inner code itself, I'm really confused.
Code: Select all
if(rand(1,500) > 250)
{
print"You win.";
}
else
{
print"You lose.";
}
How could you change the outcome of that? There really isn't much else to it. I'm really confused, any help would great.
Re: Security issue (50/50 game)
Posted: Fri Feb 17, 2012 11:20 pm
by Jackolantern
We would need a bit more than this to figure out a solution, because this is not enough for us to see the problem. You would also need to explain all of the mechanics. What do you mean the first player "puts up a bet", the second player can "take that bet", and it seems like the one who "takes the bet" is usually the winner? Programming is very, very specific.
The only thing that could be an issue with what you showed us is the rand() function, and that is seeded automatically for random numbers. However, if someone is gaming the random number generator (which could be possible, since it is known that PHP's rand() function is weak), you may need to look for a more complex solution for random numbers, such as using a
random number generator service that uses hardware randomizers.
Re: Security issue (50/50 game)
Posted: Fri Feb 17, 2012 11:44 pm
by Callan S.
I remember a story about nethack being run on a server, it drawing its random function from the servers time value and someone figured out how to calculate what results would come from starting a map at a certain time.
Re: Security issue (50/50 game)
Posted: Tue Feb 21, 2012 4:03 pm
by Liquid
Thanks for the replies, I decided to change up the code a bit & also code in better logs (logging the rand numbers generated) so I can get a better idea of what's going on.
Re: Security issue (50/50 game)
Posted: Tue Feb 21, 2012 9:59 pm
by Ark
You could try to use the
mt_rand() function, it's faster and with a larger limit.
Re: Security issue (50/50 game)
Posted: Wed Feb 22, 2012 4:43 pm
by MikeD
You could also just use an array and then select 1 number from the array. Or even select multiple numbers from the array and come up with an average.
Re: Security issue (50/50 game)
Posted: Wed Feb 22, 2012 4:47 pm
by Jackolantern
Liquid wrote:Thanks for the replies, I decided to change up the code a bit & also code in better logs (logging the rand numbers generated) so I can get a better idea of what's going on.
That is probably a good idea. Whenever something seems to be "cracked" in your game and you don't get what is going on, log, log, log
