About a year ago there was a thread about this but I can't find it now.

I'm wondering if anybody provides an API, and preferably, back-end server stuff, to support a global high-score list.

IIRC, there was no such thing commercially available a year ago, though somebody e-mailed me that they were working on one.

So, at this point in time, is there any kind of easy solution I could license to do a global high-score system?

There's this (http://www.indiegamebusiness.com/gamedev.inet.php).

That's the only commercial one I know of...

Has anyone here used the IndiePath version? Any feedback?

If it works, the Indiepath solution solves at least 3 issues:

1) Basic API and communication to High-Score server
2) Included encryption on the transmissions
3) Profanity filter (minimizing user submission of profane names, etc)

They also provide an optional
4) Hosting service

But I'm still a bit concerned about
5) Users hacking my EXE and modifying their scores BEFORE they are transmitted to the server. There are many ways users could do this (trainers, etc), and preventing it well is a major undertaking, if the users are determined.

6) Cost issues - Indiepath's hosted service costs about 0.9 cents (i.e. just under a penny) per 100 lines transacted - read OR write. So showing the user a top 100 list would cost about a penny, if I read correctly. Showing a top 50 list 5 times to all users, and having only 1% convert, would run about $2.25 per converted users. Very easy to eat up your profits this way, especially if you're selling through portals, and only getting $6-8 per sale.

The alternative is presumably self-hosting and just paying for their API. But I'm concerned with how difficult it would be to do self-hosting well. Right now I use LunarPages for my company web site, at about $10/month. If I hosted my own high scores list, would I have to move up to a dedicated server at $200+/month? What are people's thoughts/experiences here?

IndiePath doesn't even have a contact phone or even contact e-mail on their website, that I can readily find. Not a good omen...

I'm inclined to say that you should just bite the bullet and implement it yourself.
Looks like even the cheapest LunarPages hosting scheme gives you PHP and a database, so as long as your requirements aren't ultra-complex, the server-side code should be pretty straightforward and you could easily host it on your current site.

My impression is that the security aspect is your biggest concern. An off-the-shelf API might help you by encrypting the over-the-wire traffic (although I'm sure you could just link in OpenSSL or something like that for your own solution).
But if you're worried about people reverse-engineering your code, then the API probably can't magically help you there.

(Actually, I don't think security would be such a big deal - I'd just make sure there were some simple sanity checks in place on score submissions, and plan for some contingency work in the future improve the checks and remove/ban hard-core offenders who manage to circumvent them).

And of course, as an utterly shameless plug, it goes without saying that you should use my HTTP library (http://www.scumways.com/happyhttp/happyhttp.html) to POST highscores to your web server! *cough*

Unless you are getting crazy traffic I can't see how transmitting a few bytes back and forth between the client/server is going to require a dedicated server.
Where's that back of napkin... Let's say you are sending 10 16 byte names and 10 digit scores - I think that's less than 1K even if you decide to use HTTP or some other protocol instead of just streaming the raw bytes. 1K plays == 1MB. I think powweb are giving you 5 GB of traffic a day (~$8 USD a month) so even if you only want to consume 1GB of that for game plays thats 1 million plays a day. Heck, you could even work on getting that 1K down and only hit the server if the player actually looks at the high score board or gets a score worthy of consideration.

One crazy thought I had a while back was to have registered players create a unique handle if they want to post. They have to come to your site, they get a unique handle to brag on and it makes foul language filtering and tracking a more manageable problem.

I know it is some kind out of topic.But I want to question:is it worthy it?

What I thought is the global high scores will serve well who is really really like the specific game and may be extend the game's life,may boost some sales.

But for most casual gamers,do they really care about the global high score?
They may care about "local" high score for the family or friends' competition for fun.But i think most of casual gamers just want play game for relax.

Maybe I am wrong. Maybe there is no answer.I think this is maybe one of Mr. Phil Steinmeyer's experiments for the question.(and thank Mr. Phil a lot information on your BLOG,I learn a lot from there)

I hope this is a good issue to discuss, not one of my stupid questions.

Well, global high-score is one way (among several), to add meta-game aspects to your game.

Most casual games are really simple games. You don't want the user to get sick of the basic mechanism of Collapse, Bejewelled or whatever in 15 minutes, but how do you hook them and give them the sense that each 3 minute contest is part of something larger? Competing for position on a global high score list is one way.

I'm not sure myself if it's worth it - I'm considering implementation difficulty and dollar cost (for hosting, etc), and comparing it's effectiveness to other alternatives (including, I suppose, doing nothing...)

6) Cost issues - Indiepath's hosted service costs about 0.9 cents (i.e. just under a penny) per 100 lines transacted - read OR write. So showing the user a top 100 list would cost about a penny, if I read correctly. Showing a top 50 list 5 times to all users, and having only 1% convert, would run about $2.25 per converted users. Very easy to eat up your profits this way, especially if you're selling through portals, and only getting $6-8 per sale.It is my understanding that it's a single transaction weather you get 1 line of the database or 100.

I just wrote my own

use a little mySQL and a lil PHP and no problem...I think prety much all hosts have both these days

Hi all,

You can contact us via telephone, email, MSN or Skype : http://www.indiepath.com/

Please contact us with your specific requirements and we can then discuss a deal that is right for you - flexibility is the name of the game.

The alternative is presumably self-hosting and just paying for their API. But I'm concerned with how difficult it would be to do self-hosting well. Right now I use LunarPages for my company web site, at about $10/month. If I hosted my own high scores list, would I have to move up to a dedicated server at $200+/month? What are people's thoughts/experiences here?Actually you could host it yourself very simply, you need a mySQL database and we supply the posting & management code.

Please note that whilst we currently market this product as a score system it has many applications such as license checking, multiplayer game lobbies etc.

Tim.

I used this.

http://members.gamedev.net/patbert/highscore/index.htm

I definitely think it was worth it.

I'm using PHP and SQL too, in my webgames. Seems ok so far.

It's pretty simple with php mysql. For security request a key from the server then use md5 to encrypt everything. You shouldn't need a dedicated server for this.

For those of you who've implemented this in one form or another:

How much of a problem (if any), have you had with cheaters (submitting in one way or another bogus-ly high scores), use of profanity in names, and stuff like that?

How about server reliability - if you've got a typical web host that goes down for 15 minutes every now and then, does that cause a lot of irritation by your customers?

Are there major issues in terms of interactions with firewalls and such requiring a lot of testing/debugging of that feature of your game?

BTW, Indiepath, I submitted some questions via your 'contact' page on your site yesterday - no answer yet...

Regarding profanity in names, the only serious incident at my Chihuahua Word Puzzle (http://chi.lexigame.com) was when a player adopted the name "FUCK YOU ALL". Understandably, a number of other players objected and asked me to do something about it. I reset the player's name to "anon" and put a message on the website politely asking the player to choose another name if they intended to continue playing, as many players found the name offensive. I was pleasantly surprised when the player did just that!

I've no idea whether the player concerned even noticed the message about their name, but anyway all ended happily. I'd envisaged a long drawn out battle, with me putting up automated filters and the player finding ways around them. (I wouldn't have been able to block them by IP address, because it was an ISP address that seemed to be used by other players.)

Other players have occasionally used suggestive names, like "Tess Tickle", but no-one has ever objected to these, and I certainly haven't worried about them.

I would guess the frequency of such issues would depend on the type of player visiting the site - word games would probably be less likely to face such problems than games attracting a lot of teenage boys, for instance.

re profanity:

I use a simple filter in-game before I send the name off to the web. It has caught virtually everything so far. I'm not big time - only 6000 odd scores posted, but of the 6000, only "Bent Pecker" has slipped through.

Which I left because I found it vaguely amusing...

Using the browser-based php mysql route, firewalls shouldn't be an issue.

Oh, and no cheaters to my knowledge either. I don't think anyone can be bothered. If there was a prize up for grabs then that would perhaps change...

Sorry Phil, just returned from a short vacation and had lots to catch up with. Will get you the details today as requested.

Tim.

I'm debating between IndiePath's API, another alternative, rolling my own, and/or simply forgetting about it.

One question that's probably a general SQL/mySQL question:

For games with a high number of scores submitted, where the game wants to show YOUR score position even when you're not in the top 10/50/100, they often do it roughly like this:

1) some_name 5142
2) some_name 5011
(etc)
9) some_name 4002
10) some_name 3884

347) YOUR_NAME 871

My memory of SQL is about 12 years out of date, but is there a way to determine the position of a given score without returning all the rows above it?

something like...

select count(*) as 'place' from table where score > 'your_score'

place would be number of rows found

something like...

select count(*) as 'place' from table where score > 'your_score'

place would be number of rows found

Cool - that sounds exactly right.

Hi Phil,

I read you email earlier but not had a chance to respond yet in more detail.

Just quickly, yes you can do complex filtering and yes the position of the score is returned when you post it.

Tim.

I love customer service being conducted on a public forum. And by 'customer service' I mean 'marketing'.

OK, I've rolled my own and it's pretty solid. One of the last items to resolve is security.

AFAIK, my main security concern is that users/hackers don't figure out the html I'm sending to add new high scores, then stuff in their own bogus scores.

Even though I'm doing all this inside my game, I assume there's some way for hackers to sniff out the communication protocol I'm using, right?

Assuming that's the case, what's the easiest solution (using Microsoft's WinINet DLL on the C++ side, and PHP/mySQL on the server side).
1) Compute a checksum using a secret algorithm - use that on the server side to verify high score submissions
2) Use some sort of MD5 type compression. Is this hard to do in C++ and/or PHP? Is it built in to either one, and/or is some other type of security built into either one?

The PHP that drives score uploads is on my public (read-only) web site. Since PHP gets preprocessed and never shown directly to the end-user, that's not a security risk, right?

Anything else I should be paranoid about?

OK, I've rolled my own and it's pretty solid. One of the last items to resolve is security.

AFAIK, my main security concern is that users/hackers don't figure out the html I'm sending to add new high scores, then stuff in their own bogus scores.

Even though I'm doing all this inside my game, I assume there's some way for hackers to sniff out the communication protocol I'm using, right?

Assuming that's the case, what's the easiest solution (using Microsoft's WinINet DLL on the C++ side, and PHP/mySQL on the server side).
1) Compute a checksum using a secret algorithm - use that on the server side to verify high score submissions
2) Use some sort of MD5 type compression. Is this hard to do in C++ and/or PHP? Is it built in to either one, and/or is some other type of security built into either one?

The PHP that drives score uploads is on my public (read-only) web site. Since PHP gets preprocessed and never shown directly to the end-user, that's not a security risk, right?

Anything else I should be paranoid about?
I don't think you can completely hack-proof this without using public key cryptography, which is probably way too much work to be worth it. You sure can obfuscate the communications a lot though, by encrypting it multiple times in multiple different ways and then having the server know how to decrypt it. You could even do something like:

1. have the game hit x.php which returns a blank response (but this should (IIRC) have a timestamp in the http headers that the server returns) - and the server also records that that timestamp is valid as a key for the next 1 minute from this IP.
2. have the game use this timestamp somehow in the process of encrypting the data, and then send it to the server at y.php
3. (you get the idea, I think)

I might be overthinking this, I dunno.

And to answer your question about PHP, yeah, no one can get to your code -- they can only analyze what it outputs.

One last thing - limiting the number of submissions per period of time (from a given IP) could probably be a good idea too, to avoid any kind of brute force attempts.

Yah, I ended up rolling my own as well. Did my own encryption/checksum thing, added filtering on both client and server side as a precaution. :)

One thing I'm doing slightly different from others, I keep a local high score list and only submit the highest score locally to the online high score list.

And make sure your program can't be memory hacked to fake high scores, etc. ;)