HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Cheating with DiceRoller

LincLinc Detroit Admin

Hey @ToastyFish, I dunno if you're still maintaining this but I recently had a look at the source at the request of a client. Unfortunately it's easy to circumvent the anti-cheat mechanism with a little HTML. You'll probably want to store the roll value on a separate database column or in the Attributes column, and then show it separately after the body of the comment. That way it isn't editable at all after a roll is made. Attempting to pattern-match what the person types is going to fail no matter how hard you try.

If you have questions about doing that, feel free to post 'em here or start a new discussion and @mention me. Alternatively, if this client contracts us to make the change, I'll pass 'em back to you for the next version.


  • ToddTodd Chief Product Officer Vanilla Staff

    If I were to make a dice roller I'd consider some of the following options:

    1. Don't let the author edit or delete a post that has a dice role in it.
    2. User the post's ID and/or timestamp as a random seed so the numbers generated off the post are always the same.
  • LincLinc Detroit Admin

    Yeah he said elsewhere he didn't want to lock down comments tho, which leaves storing the calculated result separately (and only calculate on inserts, not updates).

  • ToddTodd Chief Product Officer Vanilla Staff

    Man, that's just not advisable. Let's look at this scenario.

    I swing my longsword at that orc (role: 1), uh oh...

    Edit, edit.

    I try and punch myself in the face (role: 1), hurray!

  • "roll play" :P

    grep is your friend.

  • LincLinc Detroit Admin

    Aside from editing, the other issue is just faking a computed dice roll in your original comment.

Sign In or Register to comment.