Hello,

I've been working on a MUD game since november, and so far the programming goes pretty well. I have a small chat and can throw in basic commands to perform an action.

But this MUD isn't a multiplayer game how you would normally make one; I decided to make an attempt making a multiplayer game without host application. Instead, all data; that is: The world, players, chatting, gameplay, stories; all of it is stored in a database. The clients just throw queries at it and get data back. E.g. player types "walk west", a query to the commands table is thrown to see if "walk" exists. It does, a reference to what action needs to be performed is thrown back, and then a query to the "rooms" table is made to see if the player can walk west.

As for chatting, the client keeps querying the database every half a second to look for new chat messages. This causes the most wear on bandwidth but that's a small price. For this way I only need a cheap webserver to apply my game online, and not some expensive virtual server that needs to run an application all the time.

However, I have one issue now. How is hack-safety using this method? Can players easily alter the client/outgoing query to hack the game? I have no clue whatsoever on those networking issues, but I hope it's not too easy to hack a client application.

Thanks,
Joozey

I guess I'm not sure what your saying. Im working on an orpg right now and all my database stuff stays on the server side with SQLite... I just send cues for an event to happen from the server with the event functions in anet. it's very easy and as far as I know, the most secure way of doing things since all calculations (that matter) are server side.

Yeah but in my case thats not the case. The client does all the calculations as the server is simply a webserver with a database, nothing more. No application running. But the client is limited in doing stuff by the data set in the database. The client constantly needs to peek in the database if his actions are valid or not. Is it then still safe?

nope, as far as i know, its a simple task to change an incoming number into your program, and modify things like how much gold to add, etc.

Though altering incomming is one thing, the outgoing another?

If a player collects a coin, it tells the database it found 1 coin. The next time a player logs in it retrieves the amount of coins for the player, and it returns 1. The player can then alter this to be 1000, but the database still has it registered as 1.

The incomming connection is not so important as the outgoing. Is the outgoing query just as easy to manipulate?

doesnt seem like it'd be too hard, at hardest someone could just get a hex program and modify your program, and add 10 0's to the +1 statement. again, ive never done this kind of stuff, but from what i understand, this is how it works.

when people figure out the user name and password of your database, which has to be stored somewhere in your application files, they can do almost everything to the tables available, it depends on what rights you give the user.
you can set these options in mySQL:
http://www.debiantutorials.org/images/user-privileges-phpmyadmin.png

but adding 1000 gold coins instead of 1 can not be disabled this way.
there is no way to secure a direct connection to the database.

what you should do is to wrap all queries into php files and access them via a http-get plugin. in that php files, you could do the checks if the query is valid.

btw: I'm also working on an mmorpg

I was going to do that with a flash program once.

but as far as the ot, i cant think that keeping everything synchronous would be to easy this way either.

That is a good idea, a php interface! I will certainly dive into that. It might be a perfect solution. Well good enough.

Are you using a virtual server to run the host, schokokeks?

No, I got a small server here at home that runs 24/7, it uses laptop components and power costs are way cheaper than renting a (virtual) windows server. That server currently runs the "Survive!" game.

I'm not aiming for a complete mmorpg yet, so bandwith is not an issue, at 1Mbit upload speed I think i can support about 10-20 players, the code is highly optimized.