Making website leaderboard...

Archives Forums/General Discussion/Making website leaderboard...

ubergeek(Posted 2008) [#1]
I have an idea for leaderboards for my game. Unfortunately, I cannot connect to outside servers with my game, so this seems like the only option. I'm stuck at one part, though. I don't know if I can (or how) to do this with a standard web host, or if I need a dedicated server. Here's the idea:

When the player gets a high enough score, a code is displayed on screen with instructions. The code has all the information, score, levels, whatever, but it is heavilly encrypted so it looks like gibberish (or a UPC code) to the player. This would be to keep unscrupulous players from cheating the system.
The player then goes to my website, and enters their name and the code. The website then decodes the code, and if it is valid, it adds their name to the leaderboard depending on their score.

I think something like this was done a while back with a DS game, although I don't know how it worked out.

I'm pretty sure I have some code somewhere for encoding/decoding the code. But I'm stuck at one thing: how can I implement the code for decoding and updating the leaderboards in my website? Can I do this with a script or something? And can I do this with a standard Web host, or do I need to rent a dedicated server?


Yahfree(Posted 2008) [#2]
sounds like it could be done with php/mySQL..

You could have a validator script on your host that could be requested by the program... The script then takes the info fed to it and puts it in the database(i'm not sure exactly how this works, but i've seen it done before)

ubergeek(Posted 2008) [#3]
I have no knowledge of either of those, except that they're related to web authoring. I had thought of just having a text file that contained all the scores, and then somehow read/write to it when a new highscore is added, and when someone simply goes to look at the leaderboards, the web page reads the current scores from the text file. Or do I need to encrpt the file also?...
If anyone has links for how to do something like this, that would be really helpful.

Yahfree(Posted 2008) [#4]
Maybe this will help you:

ubergeek(Posted 2008) [#5]
Thanks!! I scrolled through it, it looks like it will answer part of my questions.
The main thing is, my game physically cannon access any outside servers. It's impossible. I need some way of adding the scores via a webpage. I'll read the rest of the article, so sorry if it talks about that ... :-)

Yahfree(Posted 2008) [#6]
your validator.php file would look something like this:


$host = "yourhost";
$username = "yourusername";
$password = "yourpassword";
$database = "yourdatabase";

$name = $_GET['name'];
$score = $_GET['score'];
$validation_code = $_GET['code'];

if($validation_code == $from_program){

    mysql_connect($host, $username, $password);
    @mysql_select_db($database) or die( "Unable to select database");

     if ($score > 0) {
	     $query="INSERT INTO buttonscores
		VALUES ('null', '$name', '$score', CURRENT_TIMESTAMP)";


Then you would write the http commands in blitz to call this script like so(this part i'm not sure about):


Yahfree(Posted 2008) [#7]
What do you mean cant access any outside servers? You need this to be able to remotely call a php script which would put your name stuff into the database.

ubergeek(Posted 2008) [#8]
This is for a game written in XNA. Microsoft doesn't let your games access any outside servers. :-(
That's why this needs to be strictly website-based, where a player enters a code, the website decodes it, then it adds the score to a table.

Will I still be able to use a MySQL database for that?

ubergeek(Posted 2008) [#9]
I just had an idea: I could write a small Blitz app that take the information and submits it! Players would have to download it first, but that shouldn't be much of a problem. Then the decoding could be handled through Blitz code!!!

Yahfree(Posted 2008) [#10]
what are you using XNA in? because most languages have support for server requests.

Is it like a contract with MS where they don't want you to access servers? 0.o

but yeah, without the app telling the website what its code is... the website wont know what the code is that the guy is entering from the application.

ubergeek(Posted 2008) [#11]
Another idea: I had read a while back on these forums about a tool that wrapped a Blitz game and allowed it to be played through a web page! I could use that to wrap a simple BlitzPlus app that asks the user for name+code, and then it could communicate with the php and everything while still being in a web page!!!!!

ubergeek(Posted 2008) [#12]
I'm using MS Visual C# Express for XNA.
XNA's website is down right now, but yeah, I think it is, basically, that they don't want you to be able to access outside servers. :-(

The idea is, that the game creates a heavily encrypted code from the players score. The player enters that code into the Blitz app, and the Blitz app decodes it. Then the Blitz app can talk to the database and upload it, right?...

What I was thinking of was using OSAkit to wrap my Blitz app - then the user could do all this from the comfort of their web browser! (too bad for Mac/Linux users though)

ubergeek(Posted 2008) [#13]
Then you would write the http commands in blitz to call this script like so(this part i'm not sure about):


Since I already have my website set up, I figure I'll set this part up and test it. This would be so cool if it works!!!

Yahfree(Posted 2008) [#14]
pointing your webbrowser to it also calls the script, so you'll have to have the password part.

well, the .net library has functions for this stuff I think... Is it in the user agreement that XNA apps cannot use internet functions? I think thats quite strange.

your Blitz app thing could work... but I still don't see the need for it.

If you create a decryption/encryption algorithm (this will take a while, cause you have to create a alternate character/groups of characters for each character encrypted..) And then have the blitz app decode it. But unless the encrypted code was their highscore/name the blitz app won't have that part.

Yahfree(Posted 2008) [#15]
To call the php script you would do something like this (Blitz Max):

Function CallScript:Byte(myurl:String)

	Local ip:TStream = ReadStream(myurl$)
	If Not ip
		Return 0
		CloseStream ip
		Return 1
End Function

If CallScript("")
       Print "Script called."

Foppy(Posted 2008) [#16]
If all else fails you could write in your game "send the secret code to this e-mail address and if the code is valid your score might appear on the website!". And then edit the html of the website by hand.

plash(Posted 2008) [#17]
Or... if you have an *actual* server just write a program to send and receive encrypted data.

Sauer(Posted 2008) [#18]

I've been doing the e-mail thing for a couple years now and it doesn't really work.

Granted the game is borderline impossible and I don't do any marketing, but still...

I don't know I guess if it was a good game maybe.

Yahfree(Posted 2008) [#19]
to be honest, I wouldnt submit a high score if I had to email the guy... then wait for HIM to add the score in. I think an automatic high score board is much better then a single person manualy enter each high score.

I'm still curious about this "non-online" policy with XNA :)

Banshee(Posted 2008) [#20]
Can XNA handle multiplayer? You could connect to a php script via a socket call in the same way you would send data to another player you can send data to a php script.

You dont need to wrap a Blitz application to a web page, php is more than capable of handling the processing already.

Additionally, if you have a MySQL module for XNA you could bypass the whole web page thing and directly access a MySQL database stored on a web host.

I find it suprising that there are no meens at all to connect to the outside world in XNA. I cannot think of any game that I would write now that does not have at least some level of web integration somewhere, if only for an automatic updater.

ubergeek(Posted 2008) [#21]

Read the third post down. :-(

I can see why MS is doing this. If they let you connect to any server, unsrupulous developers could mine GamerTags and other personal info. It makes things very difficult for honest developers though.

Is there an MD5 hashing function for Blitz? I'm still looking...
My idea for how this would work is:

1) Player gets super-high score. Player gets hashed-to-oblivion code.
2) Player is really competitive, so he goes to my website which is advertised ingame (Got a high score? Send it here!...)
3) He navigates to the High Score Entry page. This is a Blitz app wrapped in OSAkit (if that works, I haven't really looked at it yet)
4) He enters his hashed code and name
5) The OSAkit-wrapped BlitzPlus app decodes the message; if it is valid, it calls something like
 HTMLViewGo NonexistantHTML,"

6) new.php decodes the MD5 hash, connects to the database, and adds the highscore/name

...I think. Does that look right? Before I go setting up more webspace and writing HTML/php, will this work???

Also, apparently my host is using Windows servers, so I apparently cannot write php scripts or make MySQL databases. I'm either going to have my host switch servers (1 day downtime!!!) or get some free web hosting by ByetHost (which uses Linux) and just link from my main website to there. Unless there is any way around this, or ByetHost is worse then their website claims. Ideas? Testimonials?


ubergeek(Posted 2008) [#22]
I haven't been able to find much about ByetHost, besides the article that suggested it.
Has anyone here used it? How are they? Or would it be easier to have my host switch my site to a Linux host?

I'm thinking it may be a good idea to have ByetHost host only the leaderboard; I have no way of telling how popular my game could be, and by splitting up the website that will also split up the bandwidth drain.

Yahfree(Posted 2008) [#23]
I don't think blitz has built in md5 functions, you'll have to find a lib. For example, I believe brucey has a md5 module for blitzmax.

Other then that it should work:

app->hashed md5 containing score/name/validation code->blitz app decodes and validates it->either sends it to a php script or puts it directly in the database-> app or website calls the info out of the database for display.

And linux servers tend to support a wider range of 'popular' server side languages(such as php)

VP(Posted 2008) [#24]
I'd not use MD5, it's shown to be somewhat trivially circumvented. Would still take some effort, but someone will, given opportunity.

SHA-1 would be better. SHA-2 variant even better, but probably overkill.

Wikipedia it, if you're thinking 'huh?' ;)

Banshee(Posted 2008) [#25]
md5's are too long to type in, and honestly I dont see anyone making use of the feature in this way. Does XNA support multiplayer?

php and MySQL run fine on Windows, if your host refuses to install them then I hope it's a free host. IIS can probably do it also mind, I just wouldnt personally know where to start.

PHP can connect to a Blitz application at the socket level as if it is a player, that's the route i'd go down. If it's not automated, it's not going to work.

ubergeek(Posted 2008) [#26]
md5's are too long to type in, and honestly I dont see anyone making use of the feature in this way. Does XNA support multiplayer?

Please see my above link to XNA's forums. Yes, it does support multiplay through XBox Live, but MS won't let you connect to outside servers. Unfortunately, YOU CANNOT CONNECT TO OUTSIDE SERVERS WITH XNA!!! :-(

php and MySQL run fine on Windows, if your host refuses to install them then I hope it's a free host.

I'm using 1and1 with a Windows server. There's not an option to use MySQL with a Windows package. It could probably handle php, but without the database it's useless. That's why I'm thinking of getting a free account with ByetHost and using that for my leaderboard. Does anyone know about them? Are they any good??

PHP can connect to a Blitz application at the socket level as if it is a player, that's the route i'd go down. If it's not automated, it's not going to work.


So, what should I use to encode the code? :-)

VP(Posted 2008) [#27]
1&1 are complete pap.

For the same money, you could get a much better hosting package. Not wanting to turn this into a "who provides the best hosting" thread, but PAC Webhosting cost me 20/year and give unlimited domains, unlimited MySQL and generous capacity and bandwidth.

Hosting without a database back-end is suitable only for trivial sites. You can't even install blogging software without it.

Banshee(Posted 2008) [#28]
Please see my above link to XNA's forums. Yes, it does support multiplay through XBox Live, but MS won't let you connect to outside servers. Unfortunately, YOU CANNOT CONNECT TO OUTSIDE SERVERS WITH XNA!!! :-(

This was my point, you reverse the concept and have the "server" connect to XBox Live as a player to exchange the necessary data as a 'bot'. I dont know about XBox live personally and i've no personal interest in XNA, but conceptually it appears to be a sound approach.

php can operate at the stream level, but conceptually you could even have an application running on a server to do the same thing. The issue is that of hosting, if you've an account that lets you run cron tasks you could write an application that scans the game listings every few minutes and connects, stays connected until game ends and collates the stats/scores.

There's all manner of approaches once the concept of the 'server' connecting to the game is used, completely nullyfing the whole concept of the "no connecting to outside servers". Once you've established a connection you could do all the same things, even provide content into the game.


Banshee(Posted 2008) [#29]
In regards the SQL issue there is no absolute need to have a database, php is quite capable of reading and writing files in any directory with a permissions mask of 7-7-7 (or on a Windows server, give write access to the user which the php service runs under via the access control list).

ubergeek(Posted 2008) [#30]
Hmm! I'll have to ask on the XNA forums, though I'm pretty sure MS would have a fit if someone were to do that. Good idea, though I'd have no idea how to do that, and I'm already busy just trying to finish my game, I'm not sure if I'd even have time to do something like that.

I think MS' whole point was to prevent mining of players data. If so, no matter how pure my intents, I doubt they would allow that. :-( I'll look into it though.

Banshee(Posted 2008) [#31]
Well doing it this way your web server will be able to collate no more personal data than your existing application, so ethically it can't be challenged.

It is a more technical solution however, the simplest approach to code would be to write an actual application in XNA that runs from the server - if you can get hosting which supports that (speak to your hosts).

The php solution would likely work with any service that allows cron tasks to be run, but depending upon how XBox Live handles online games there may be added complications with server handshakes and acquiring lists of active games etc.

ubergeek(Posted 2008) [#32]
From the XNA forums, on a thread about leaderboards, and doing exactly what you suggested:

Seriously, folks, this is a blatant violation of the XBox LIVE Terms of Service - "using the Service or related hardware to obtain any data to design, develop or update unauthorized software that you use or provide to others to access or use in connection with the Service".

So no leaderboards, full-stop. End-running the system is not going to work. It's just going to get you in trouble. There is more than enough room to play with in the system, and if you play nice and do well, you get to move to the next level. If you want leaderboards for your game, the question is not "how do I get leaderboards on XNA" but "how do I use XNA to get into the full-on XBLA space".

So, my only hope would be that my game is popular enought that MS wants to upgrade it to a full Arcade release. Otherwise, I'd have to use a code system. :-(

So... Anything in Blitz for SHA-1 or SHA-2, and then something that can be ported to php to decode it? Actually, I'd need a code generator for C# for the actual game, too. This could be tricky... I'm not a php programmer - I just learned about it the other day from that tutorial.

I'll search the code archives, but if anyone knows about this for php/c#, that would be extremly helpful!


Banshee(Posted 2008) [#33]
I'll tell you now it's a lot of work for something that will not be used.

Although it does not breach this article in the manner I described,
"design, develop or update unauthorized software"
Your software isnt updating, it simply features dynamic content.

ubergeek(Posted 2008) [#34]
I've read a lot in their forums, and apparently leaderboards are out of the question. Plain and simple. I'm pretty sure 'dynamic content' qualifies as 'updating', sadly. It's terrible, but the truth. :-(

It probably is more effort than it's worth, but I might use it in another game if not this one, and I like the idea. Besides, what other reason do I need besides 'because I can'? :-)

I've tried searching the forums, and all I could come up with was this. I only have Blitz3D and BlitzPlus, so it's kind of useless. Is there something like that that works with B3D or B+?

Banshee(Posted 2008) [#35]
An md5 would be too long, you need something that scrambles the values, is only a few digits long, and has a verification code.

Perhaps converting the score to base-36 (1..0 A..Z), and generating a random key that's used to modify the code and user name.


Where 291 is the random key, 28CAH might be a score generated and run through the key, and FJW is the result of passing my 3 digit name through the same random key.

This results in a much shorter key. You could also add some validity checking by multiplying the score by a value like 7 before doing all the tricks to it, then when you decode it at the other end if it isnt divisble by 7 you know it is either mis-typed or spoofed.

ubergeek(Posted 2008) [#36]
I was thinking of something like that. Thanks for the ideas!

Still, does anyone know about Byethost???

I'm still working on what I'll use to store the database. I don't know php, and it's a bit late to be doing so as I want to release my game ASAP. Also, if OSAkit will work to wrap a Blitz app to actually enter the high score info. Hmmm....

Banshee(Posted 2008) [#37]
<form method='post' action='score.php'>
  <input type='text' name='code'/>
  <input type='submit' name='submit'/>




  //example of connecting to SQL
  $chandle = mysql_connect($db_host, $db_username, $db_password) or die("Connection Failure to Database");
  mysql_select_db($db_name, $chandle) or die ($db_name . " Database not found. ");

  //example of reading from SQL
  $query="SELECT id,name,score FROM $db_name.`top100` WHERE id>0 ORDER BY score desc LIMIT 100";
  $playerResult = mysql_db_query($db_name, $query, $chandle) or die("Failed Query of " . $query);
  while( $player=mysql_fetch_array($playerResult) ){
    echo $player['name'].'  '.$player['score'];

  //example of an SQL update
  $query="UPDATE $db_name.`top100` SET name='$playerName',score='$score' WHERE id='$player[id]'";
  if(!mysql_db_query($db_name,$query,$chandle)) die(mysql_error());

  //example of an SQL insert
  $query="INSERT INTO $db_name.`top100` (name,score) VALUES ('$playerName','$score')";
  if(!mysql_db_query($db_name,$query,$chandle)) die(mysql_error());


<p>HTML can be included in php files</p>

<?php print "<p>And you can access $variables inside quote strings</p>"; ?>

I wrote that straight into the forum edit box so please forgive any errors, you should have samples there of all the complex stuff. The commands to lookup for doing your code will be (google is a great online manual, w3cschools is a very useful site when it's high on the search results).


Banshee(Posted 2008) [#38]
oh for hosts I usually use for small stuff, and for medium/enterprise stuff. For big stuff I throw my own server into a datacentre.

ubergeek(Posted 2008) [#39]
Cool! Many, many thanks!!!!!
I'll try this out as soon as I figure out which host I'm going to be using, or if I'll switch my host's server to Linux. This will be great!!!


VP(Posted 2008) [#40]
Apologies, if I'd really read this thread in detail, I'd not have mentioned SHA-1. I still thought there would be some way of HTTP'ing to a server to transfer the data.

If your solution involves even the most minimal effort from the user in visiting a website to enter a code, it's a feature that will never be used. You're selling to the casual gamer, they don't care about leaderboards enough to put effort in.

XBLA leaderboards are a "oh, that's cool" rather than a "I must have this" option.

Yahfree(Posted 2008) [#41]
if a database is out of the question for hosting, but you can still manage php, then you may be able to get away with reading/writing to a text file.

ubergeek(Posted 2008) [#42]
XBLA leaderboards are a "oh, that's cool" rather than a "I must have this" option.

I'm not entirely sure if they are or not. I've been hearing mixed opinions on the XNA forums - some people are saying what you are, but others think that a lack of leaderboards will be one more reason for people to buy a Live Arcade game, instead of Community game. For some, leaderboards and Achivements are a big selling point for games. Unfortunately (well, and for good reason), CC games will not be able to offer Achievements.

If I can somewhat easilly implement an online leaderboard system, even if it's barely used, that will be one more bullet point for my game. That can do nothing but good!

if a database is out of the question for hosting, but you can still manage php, then you may be able to get away with reading/writing to a text file.

I have a question about security: if my highscores are in, say, Scores.txt, what's to prevent people from putting "" in their browser, and then modifying it? Is that possible, or am I just paranoid? :-)

I would have to assume it's not possible, but I want at least some level of security.

I suppose another issue would be how to limit the number of scores. With a database, as outlined in that tutorial, it's pretty easy to have an infinate number of entries (or at least several thousand). With a text file, I'm not so sure. I'm not sure if I'd be able to easilly sort them by score, like with a database. Then there's the performance issue if you have thousands of entires in a text file...

Decisions, decisions...

Banshee(Posted 2008) [#43]
A text file can be equally secure, especially if you name it php and include this in the first line "
<?php /*

And as the last line
*/ ?>

However http has no write permissions so you are safe anyway.

I would use a database as it's simple easy and optimisation and sorting is done for you. That said, i've used both database and file storage methods for projects in the past, sometimes it's a case of whats quickest and easiest to knock out - and on ocassion that's been decided by which programs I already have open...

ubergeek(Posted 2008) [#44]
I might just switch my host (1and1) to a Linux server, so I can create a MySQL database. That looks easiest. Interesting why that only works on Linux...

Banshee(Posted 2008) [#45]
I think it's more an issue with it not being supported by 1and1. I develope for a Linux server on a Windows Vista machine, i've got apache running php and full MySQL support in both environments. To me OS choice is a matter of efficiency (server) and productivity (my dev environment).