So, you want to have a "high score list", but people figure out that the
number of moves is immediately after the ? in the URL. Well, there were a lot
of suggestions that were given to me, and here is a list of the various things
that can be done to stop those annoying cheaters.
- Use POST instead of GET, that way the user doesn't see the number
that is submitted to the CGI. Thanks to Tom Scheper, I was directed to
a site that explains
everything about how to add it to your Java program. I won't be adding
it, but if someone does, I would certainly accept changes.
- Use a simple formula to get a different number, like [moves] * 15 +
23, but then people would figure that out too (I tested this theory in
1998).
- Have the puzzle page generated by a script, and include a unique key
that will get returned with the number of moves. Add the key to a file. When
the solution page is loaded, check if the key is in the file. If so, delete the
key and keep the number of moves. If not, the person is trying the puzzle again
and could be trying to modify their number of moves (or they maybe just hit
"back" and tried it again).
- As an extension of the previous idea, have the key be all numbers and
a somewhat random length. Add another key to the very end, so the query might
look like solution.cgi?moves=174512439872146272651493482629427862, with
only the bold 27 being the correct number. You could possibly implement this
without the file of keys, but then it is feasible that people would bypass the
meager amount of security. I have sample scripts in the full package of the
puzzle.
- You can get an HTML encoder, which would really make people think
twice. This is trivially implemented with the above solution, but I didn't do
it so you could still read the HTML. With the HTML encoded, it takes a newer
browser to decode it, but it is quite secure. Check out
javascripts.com for programs that can
do it.
- You can alter the source of the applet that will perform actions you
specify, do a certain difficulty level.