The answer is, of course. The code is on the client, and even though obscured, is JavaScript. Using something like firebug or even editing the JavaScript in the browser cache the logic of the client can be altered. Like any effort/reward system, it's a question of how much it is worth to the user to do it. If, for example, hacking the code merely gains the user prestige by having a higher score then odds are the effort of the hack is not worth it. If, however, you attach some monetary reward to high scorers then you've created an incentive that may make the hack worth the effort.
Even in the absence of JavaScript, it is possible for the user to send a forged packet on the network to send a higher score. HTTPS would pretty much stop this attack. However, considering the two attacks, hacking the JavaScript or messing with the JavaScript runtime variables is a much simpler hack. If you want to "raise the bar" just a bit on the hack -- possibly making it not worth the user's time -- store the score on the client in obscured format. For example, don't keep the score in a simple "int" variable, instead keeping it in a string in octal format (Integer.toOctalString()) or other obscure base. This will keep at least a casual user from examining the runtime variables and easily spotting the score to manipulate. In general, the code is going to be difficult for the user to figure out. Examining/changing the runtime variable with something like firebug is much easier. If you take away that possibility by also obscuring it, you'll probably eliminate all but the most determined hacker. Again, if there is a big incentive, someone will hack it. If not, they probably won't bother. -Brett On Aug 2, 8:02 pm, asianCoolz <second.co...@gmail.com> wrote: > Just curious on this, since gwt is javascrpt and i wonder possible to > somehow when calling rpc method, inject invalid value into it? for > example, gwt game that have setScore(..) method. can elaborate on > this? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---