Shopping cart help.

[begamer26]

For selling a game: I am using PayPal shopping cart buttons, and am redirecting (On success) to a page which will ask them for their e-mail to send them a random code which will be added to a MySQL database, once the person opens the game (no help needed) it will go to the MySQL database and check if the users mac-address is in there, if not it will ask for the code they received in the e-mail, it will then check if it is in the MySQL database and then add the persons mac-address to it. THEN it will check if the mac-adress is in the database, if it is, it will let them to proceed to play the game. if not it will automaticaly close.

*Deep breath* What I need help with is to somehow protect the page that they get redirected to, so they can only give the e-mail if they were 're-directed' by PayPal. (Not if the previous page they were on was PayPal.)

Any help?

 

[Anna]

I have no idea on the coding part, but there's potentially another problem with that scenario, if they are to open the game on their own computer, they will not be able to connect to the database if it is on one of our free accounts for verification. Access is restricted to content on our servers only. I notice you don't have a hosting account at this time, but wanted to point that out.

I guess there'd be a way to check for http referrer, and set a "if not from paypal clause" that gives them information on how to buy the game? I'm sure someone more experienced in coding can suggest something better, and possibly also bash that idea for being insecure

 

[callumacrae]

Re the first part, that sounds kinda tricky. I think I understood it, anyway You can't connect to MySQL remotely, and even if you could that would be a security flaw, as someone could reverse engineer your code, get the login info, and modify the database. It would be better to build something where you query the website, then it returns true or false, eg the game could query example.com/verify.php?cine7d84joj367dubv=vhhd6865ycgbb864 would return either true or false.

You don't want to host that on free hosting, as you need a very fast server to do that. You would probably want VPS.

Anyway, why not use the conventional enter code, play game?

~Callum

 

[begamer26]

@Anna I plan to get my site paid hosting and on a different website. : P

@Callum You can connect to a MySQL through a game, It basically sends information to a php code which does the query. : P I'm not sure how someone could reverse engineer a .exe though. If there is a way, is there any way I could secure it?

If they enter the code, play game. ANYONE could play the game for free. :/ Thats what I want to prevent. :C

 

[callumacrae]

They don't even have to reverse engineer the game, they can just sandbox it and see what it connects to. It really isn't a good idea.

Have a database of lots of random codes. Each code can be used three times, after that it becomes deactivated and the user has to ask you to reactivate it. Distribute one code with each copy of the game, and tell them that if they install it more than three times they will need to contact you. I'm not sure exactly how it should validate the code, but I'm thinking validate.php?code=longcomplexcodehere, which will then return true or false. In order to prevent hackers from brute forcing the code, you should restrict them to 3 attempts every 5 minutes, and then they have to contact you to get their IP unblacklisted.

I think all that would work

~Callum

 

[begamer26]

They don't even have to reverse engineer the game, they can just sandbox it and see what it connects to. It really isn't a good idea.

Have a database of lots of random codes. Each code can be used three times, after that it becomes deactivated and the user has to ask you to reactivate it. Distribute one code with each copy of the game, and tell them that if they install it more than three times they will need to contact you. I'm not sure exactly how it should validate the code, but I'm thinking validate.php?code=longcomplexcodehere, which will then return true or false. In order to prevent hackers from brute forcing the code, you should restrict them to 3 attempts every 5 minutes, and then they have to contact you to get their IP unblacklisted.

I think all that would work

~Callum

C: Good idea! But I think something else than their IP should be blacklisted as people can spoof them quite easily. Overall Great idea!

 

[callumacrae]

They can spoof anything if they want to, just use their IP

~Callum

 

[begamer26]

They can spoof anything if they want to, just use their IP

~Callum

Yeah, but the IP changes all the time with a few ISP's. They would be able to play the game for a day, turn off their router, turn it back on, they'de get ripped off. :C The mac-address always stays the same though. C:

Anyway, how would I make sure that the person got redirected from PayPal on the page where it askes them for their e-mail address? I want to make sure that you can only get the code if you payed for it. :B

 

[callumacrae]

Nonono I meant that during installation they would have to enter the code, their copy isn't validated when the game is opened. If the server went down they wouldn't be able to play

It's as easy to change or forge your mac address as it is to change your IP if you know how.

I dont know about the paypal bit, sorry

~Callum

 

[begamer26]

Nonono I meant that during installation they would have to enter the code, their copy isn't validated when the game is opened. If the server went down they wouldn't be able to play

It's as easy to change or forge your mac address as it is to change your IP if you know how.

I dont know about the paypal bit, sorry

~Callum

I'm not sure how I would do that though?

 

[essellar]

Reverse-engineering an EXE is not particularly difficult -- they don't need to arrive at your original source code; just the disassembled machine code will do quite nicely, and a you don't need to do much to patch the EXE to skip your call-home. That said, a game that requires the user to be online for anything other than multiplayer matches is almost guaranteed to result in warez if it's worth playing -- even people who buy legitimate copies of the game are likely to eventually get the warez version just to avoid the online restriction. Registration/activation is one thing, but a call-home on a locally-installed EXE is something that has been known to cause otherwise law-abiding coders to create "patches" for their own convenience, and those tend to spread quickly to people who don't really feel like spending money if they don't have to.

 

[callumacrae]

Why do you need it to be so secure, anyway?

~Callum

 

[begamer26]

@essellar Woah! Anyway I could make it so they don't have to go online to play? Perhaps by writing something to the registry?

@Callum I'm a student with no money. D: What else do I need to say?

 

[stpvoice]

Can't you just do it the old fashioned way, and send them a disc or the exe? Perhaps put something in the installer which allows you to give them a single-use code. Once installed once, the code is invalid, and the game cannot be installed without it.

 

[stpvoice]

This looks like something of use: http://www.advancedinstaller.com/user-guide/qa-server-side-sn.html

or even this:
http://support.microsoft.com/kb/253683

 

[callumacrae]

Can't you just do it the old fashioned way, and send them a disc or the exe? Perhaps put something in the installer which allows you to give them a single-use code. Once installed once, the code is invalid, and the game cannot be installed without it.

That's exactly what I meant, but give them three installs for when Windoze breaks and they have to reformat

~Callum

 

[begamer26]

Yes that method is fine, it's just once someone has payed for it and it's installed, they could just copy the files from say "C:/Program Files/GameDirectory" and upload them to the internet, people could get it for free that easily. :C

 

[essellar]

First, you need to accept and become one with the fact that there will be piracy if the game is worth playing. A lot of people have put a lot of hard work into securing software that you'd think would have very small niche markets, cost an incredible amount of money to produce, and therefore have very high but reasonable prices, and they turn up cracked on places like Pirate Bay all the time. There's nothing you can do about it, really, so the object of the game is to stay as far away from encouraging piracy as you can. That means keeping your price as low as you can reasonably make it (but not so low that people immediately think it's got to be crapware), and making the product registration/activation process as simple and pain-free as possible. One old standby is to use a hash value (internally to the program) that is significantly shorter than the "activation code" you supply. That allows you to provide a rather large number of valid activation codes that all hash to a relatively small number of valid hash values (you're depending on hash collisions rather than trying to avoid them) -- the user enters the activation code (which is written to the registry) and your program hashes that value to validate it against a short list of valid hashes stored internally to the program. No, it's not particularly secure (since codes can be shared) but it is very low on the annoyance scale for the user and opaque enough (since there are enough unique validation codes that every user should be able to get a different one on registration/purchase) to both seem secure and make purchasing a sensible option.

Oh, and it's a good idea to make it clear in the license that the user will be able to install it on multiple computers (at least on both their desktop and laptop) -- when they feel like they've done something vaguely illegal, but not quite wrong in their minds, it's easy to slip into the "in for a penny, in for a pound" mentality. When they feel like you've been good to them, they're more likely to be good to you in return.

 

[begamer26]

First, you need to accept and become one with the fact that there will be piracy if the game is worth playing. A lot of people have put a lot of hard work into securing software that you'd think would have very small niche markets, cost an incredible amount of money to produce, and therefore have very high but reasonable prices, and they turn up cracked on places like Pirate Bay all the time. There's nothing you can do about it, really, so the object of the game is to stay as far away from encouraging piracy as you can. That means keeping your price as low as you can reasonably make it (but not so low that people immediately think it's got to be crapware), and making the product registration/activation process as simple and pain-free as possible. One old standby is to use a hash value (internally to the program) that is significantly shorter than the "activation code" you supply. That allows you to provide a rather large number of valid activation codes that all hash to a relatively small number of valid hash values (you're depending on hash collisions rather than trying to avoid them) -- the user enters the activation code (which is written to the registry) and your program hashes that value to validate it against a short list of valid hashes stored internally to the program. No, it's not particularly secure (since codes can be shared) but it is very low on the annoyance scale for the user and opaque enough (since there are enough unique validation codes that every user should be able to get a different one on registration/purchase) to both seem secure and make purchasing a sensible option.

Oh, and it's a good idea to make it clear in the license that the user will be able to install it on multiple computers (at least on both their desktop and laptop) -- when they feel like they've done something vaguely illegal, but not quite wrong in their minds, it's easy to slip into the "in for a penny, in for a pound" mentality. When they feel like you've been good to them, they're more likely to be good to you in return.

I understand about the price musn't be too high or too low but don't know what would be a good price for a game. 5-15 pounds/dollars/euros?

I'm not quite sure what a hash value is though, although I think I might have an idea. -

A hash value has many different possibilities, when the activation code is generated it must have the same hash value as one of the ones in my game/program. After the code is written in the registry, when the game/program opens, it will read it, convert it to it's hash value and check if it matches one of the ones in the game/program. If it matches it will let the player continue??? Am I close?

 

[essellar]

That's just about exactly it, yes. You'd want to generate a list of values -- say, all 30-character combinations of upper-case letters and numbers (omitting the amiguous O, 0, 1 and I, giving you a huge number of starting combinations) -- then hash them all using a function that produces, say, a 16-character hex hash. Obviously, there are going to be a lot of collisions, since there's no way the starting combination space can even begin to fit it the end space. Pick a very few highly-populated hash values, and use the corresponding starting values as your activation keys, assigning one to a customer (you should run out of customers long before you run out of unique keys unless your game goes pan-galactic, and if you do run out, there's no real harm in going back to the top of the list and starting again). It will take some time to create the list, generate the hashes and extract the keys that will require the fewest number of stored hashes in the program, so be prepared for that. There are a lot of combinations in that working space.

As for the price, $14.99 to $29.99 is a sweet spot -- it's just expensive enough to seem like a real price, and just cheap enough to avoid being "real money". And do use the "multiple of five minus a penny or two" pricing; people will pay twenty bucks if the tag says $19.99, but not if the price is exactly $20.00. It's consumer expectation -- at $19.99, it seems like you took the time to work out a price, while $20.00 looks like you pulled a number out of ... (I'm sure you know the phrase, but this is a G-rated forum).