What are the best options for serializing and storing player data?

I’m looking into the best way to serialize and store data for a score system and player achievements system. Realistically I was thinking I would just serialize json out to the hosted server (would there be any security issues? Would I be using their device IP to log game play achievements?) but want to know if there’s any options pre existing that I could just use.

If there’s no other options what’s best practices when it come to saving user data?

I don’t think babylon.js provides such things pinging @bghgary
In the mean time, you are free to use whatever you want from local storage to server upload.

1 Like

I don’t have any good answers on this either. Like @Cedric says, it’s not something Babylon.js provides. I want to say you can use Azure or AWS for custom services or integrate with Facebook gaming, Steam, etc. for existing gaming services. But I don’t have a lot of experience doing this with web games. Perhaps someone in the forum has more experience and can chime in.

I would use MYSQL databases and queries run via $ .Ajax.

It’s totally secure. It is however necessary to have small notions with PHP and SQL, but this can be learned very quickly and easily.

One can create a totally insecure system with any language or database even if they have a lot of experience. Be very careful if you’re going to be creating anything that is going to store a user’s personal info.

1 Like

I very often use PHP and MYSQL and I have never had a security problem. I created PHP games with very large SQL queries and no one has ever been able to cheat or see any personal information. I also store a lot of personal user information and always very secure ways with MYSQL. PHP is a language that does not show its source code too, so it makes hacking more difficult. In short, I think that PHP and MYSQL is still a good choice for storing user information. Many sites use this language too without problem.

Dad has it right. There are some security issues to take into account to stop players from injecting false scores with the ajax request, but that is another topic.

PHP will be your friend here for sure though, I would look at mySQLi and prepared statements as opposed to standard mySQL though.

I just think the statememt “totally secure” is a bit misleading to those who are inexperienced.

1 Like

I totally understand security, I was mainly focusing on if there was packages that babylon would reference and if there were security issues related to them. But realistically I understand that’ I’m going to be working with back end PHP. Was hoping there was a plug and play option though :confused:

I did a very quick google search for “game backend github” and found this:



I have no experience using it, but it looks promising.

Here is their forum: https://forum.heroiclabs.com/

1 Like

Hey there,

I have plenty of experience both in web apps and in babylonjs games. https://gcapsarena.com uses such a system.

What I use is a nodejs login server to store the users information and to handle the database operations and a Game server to handle the matches. The Login server also instances game servers as needed in runtime.

By the other hand, the database ( MySQL) is being accessed by a webservice written in PHP ( My custom MVC webservice framework ) which handles all the queries. In the login server there are some models for the database entities with the appropriate apis.

Between the client, the login server and the game servers the communication is done via JSON through socket.io. I use the Facebook and Google api for the login, I do not use a custom login, I do all the validation server side and then store it via an API call. The page is secured with SSL.

Achievements in my system are stored via the userId. Of course, the user needs to be logged in in order to store achievements. This is all handled server side so definitely no security issues involved. You might want to secure your server though from outside access. Be careful if you are doing an old-style PHP website because those are prone to SQL injections attacks.

I hope this was somewhat useful to what you are doing :slight_smile:


Thanks so much Null, I checked out your game its well done!

As for the communication from js to php (all I’ll need to store are achievements, scores) and I can do that with a mock username / pass, how do you handle that with babylon? Is it Ajax or do you directly call php methods from js? I quickly tried to extend my project but I’m seeing it’s a little more difficult than directly passing json or calling functions directly.

Do you have a sample snippet I could use as an example?

Okay so babylon is a game engine, it is not responsible for the data layer of your application nor it should be. Also, there is no way to call PHP scripts or any other server side language for that matter from a client side language as Javascript directly, only through Ajax or asynchronous calls. Remember, javascript runs in your browser while PHP runs in the server, under a webserver such as NGINX or Apache. It has to be done through Ajax.

If it’s a single player game and all you need is to store achievement and score, you can use JQuery Ajax freely which I think makes it easy for you. jQuery.ajax() | jQuery API Documentation this is where you find the library. Call your php file which saves the score through ajax by passing a variable to identify the user, maybe a userID or a username if thats unique for you. PHP side check the validity of the username and if its all good, update the data.

Now right here you have a security issue. Your PHP URL is visible for anyone and anyone can send some fake scores by sending the username through that api. What you could do to block the “hackers” from cheating is start a match token every match. That is generated server side and retrieved with Ajax. It would be great if you could store the token both server and client side. On Match end send the score with username and token. Now here you have to validate the token as well. Set also an expiry timer for the token server side if you are going to store it using sessions. Otherwise it will still be easy to exploit. Also the token should expire immediatly after the score update request. There is no simple solution to the hacking problem I’m afraid.

Maybe you will find this useful for your token generation needs GitHub - RobDWaller/ReallySimpleJWT: A really simple library to generate JSON Web Tokens in PHP.


Thank you for your great response!

1 Like

There is also Node.js as a server architecture. You can keep everything in JSON, use the same language, and create simple REST APIs to handle your AJAX calls or run with Sockets for passing data back and forth . You can then push your information to the DB of your choice. I like NoSQL DBs when working with Javascript, as the DB objects follow a JSON like structure and can be passed directly from the server in that format.

As for tracking the device IPs, I would not go that route. If you have any users that do not possess a static gateway IP you will fall into the problem of IPs changing for the user. Even then, you still have the multiple users behind a single gateway IP issue to contend with. I would make them create accounts and assign a unique ID to them and store that based on their username. Then you can add a couple of checks upon startup of the client that will verify if the username and UUID are matched by the server (in case they get into the browser local storage). Even if they mess the with local storage, you can check that the values match and if not, update the variable in their local storage again. Or keep it as a constant in your client engine on log in.

1 Like

What I do, I create sessions with PHP at the time of connection to the game: session_start ()
Then I save the nickname in a session : $_SESSION[‘pseudo’]. All my SQL queries get this unique identifier.

Then, even if the URL of the php file is visible, you can not execute queries for a different user with the sessions. Also with PHP, we can check what is sent and executed if it is compliant.
You can also encrypt the data sent with Ajax and decrypt it with PHP (base64 for example), which allows you to send nothing not compliant.

Base64 is not encryption. Maybe you meant encode / decode.

Yes, decode/encode. Or encrypt / decrypt with something else. Base64 is not an encryption. Bad language on my part.

I figured and wanted to make it clear to others. I don’t know how you guys are able to speak more than one language. :slight_smile:

Yeah but if I am playing, I don’t care to change other users scores. I want to change mine. If not done correctly, even storing a session in PHP might not help. I mean, if you update URL is http://somegame/updateScore.php?score=100 then someone will definitely understand this updates the score.

1 Like