Preventing code from being executed by the user

Question

So I'm writing a game with JavaScript, and the biggest problem with that is that whoever is playing it who might have a decent knowledge of JS could open up my source code, figure out how it works, then plug a game.score = 100000000000000; into the console. However, it seems that aside from obfuscating the script, wrapping everything in an anonymous function does the trick.

(function() {
    game_start = function() {
        //etc
    }
    //etc
 })();

When I try and run any of the code from the Chrome Console, it comes up with undefined. This is the desired result, but is there a way around my method that would render it useless? Or even a better way to prevent things being run from the console?

Answer 1

There is no way to ensure that person will not cheat. Even with badly obfuscated code (I'm talking about stuff like H5b(b){if(b.pd()&&b.Ca&&b.gKa){var a=b.ra(RT.Nwa)) you can still watch the UI changes or network requests and trace it from there.

Some people use AJAX calls to validate the score, e.g. every time the score increases/decreses the app will make an AJAX call to back-end and you track the score on back-end too. When user submits the final score you check it against back-end score and if it's different then you will know that the person was cheating.

However this will not prevent people from writing a script that makes those ajax calls and that way makes it's score valid.

tl;dr: no, there is no way to ensure that user-side code is not compromised.

Answer 2

Sorry, but there is no way to truly prevent a user from cheating when the game runs on his machine. Any code which runs on the users machine can be manipulated by the user. When you want to make it impossible to cheat, you have to implement all the game logic on a server, don't sent any information the player isn't supposed to know and don't accept any commands the player isn't allowed to do.