I am trying to send a json object that holds quiz data [including answers] from my code behind to javascript. I used...
var quizJson = <%=jsonObj%>
but the issue is, my users are smart enough to use view source and reveal the answers. Any suggestion?
Thanks in advance
The only correct solution is not to send the answers to the browser in any form. The browser needs to send the answers that the user enters back to the server. Then you use the server-side code to determine if the answers are correct.
Do an AJAX call when the user chooses an answer. This way, validation will be external and the users won't be able to view the source to find the answer.
Anything you send to the clent for use in client side scripts can be read by any client. Even if you somehow obscure the answer in the source, anyone can pull up a debugger and see the real answers when you "decode" them. This is just like a lot of classic game hacks, where people would disable walls and see what is past them. Anything you send to the client is vulnerable!
The only way to protect the answers is to keep them on the server. Post the attempted answers to the server, then grade them there and return the results to the client.
Use a simple encryption (like this) in order to hide the text from the user. If the data is not important, then that will drive off the average inspection.
However, if the answers are important to keep hidden, then keep them hidden...and off client side.
Related
I have a NodeJs+Express+Mongodb website. I have some input, and I read a lot of things about sanitizing.
Input javascript : handle input client side and display possible page available. When data are correct, suggest a link to redirect client to a page.
Here is sort of a duplicate, it would most likely be helpful for you to read it: Do I need to sanitize user input before inserting in MongoDB (MongoDB+Node js combo).
To summarize it, as long as you are not executing direct String input as a direct MongoDB command, you do not need sanitizing. If you were though, sanitization would happen any where that the user can input information that is executed, e.g. forms, search bars, etc.
I hope that helps, if you still have any questions just comment below and I will help you!
I have a large-ish amount of server-side data that I need to store in a mySQL table. [I'm a novice, working through the learning curve of javascript & php.]
I'm thinking it's best to stringify the javascript array into a JSON object and send that to a PHP page to save to the database. Once the data's in a PHP array, I know how* to get it into the database; I'm just not sure what's the best way to get it there.
I can't POST (like this example) since the maximum length of a POST string is 2048 characters, and I have maybe 10-20kb of data.
I'd rather not use AJAX or Node.js (like this example) for the sake of simplicity, and since this is a one-off (but both on my list to learn in the future!)
Or, would it be best to create a temp text file to the server with javascript, and then call a PHP page to load & process the data? (Although I can't find examples of how to do that without using POST.)
I understand the difference between server-side & client-side (thanks to this great explanation) but the size limit of POST seems to be my issue?
*Also I'm a little unsure as to when/how it's necessary to encode data (like with this deprecated mysql-real-escape-string example) for storage with {json/posting/DB tables/text}. In this case my data could contain 'single' & "double" quotes (but no foreign characters 国外 वर्ण), which [in my short experience] seem like the only times it will be an issue?
Thanks!
The problem is that Javascript is client side language while PHP is server side language. This means that PHP cannot interact with the user without some HTML, CSS or JavaScript and visa-versa, JavaScript can't interact with server side files without some PHP. Why is this? Since JavaScript is client side the user can edit it as they can see the code while with a PHP script it is all on the server and they are not able to see the code, only what it outputs/prints. So in short you cannot do what you are asking without POST or GET and it is not possible to do this without a server side script such as a PHP script (Python is also very useful if you are thinking of learning more about web backends).
There are numerous example of how to do this that you can find with a simple google search, here is a great example send data to MySQL with AJAX + jQuery + PHP
Hope I could clarify your question.
I'm updating a database via PHP with data that's being sent via ajax. Is there a way to tell whether the script that is sending the data is called by the page on which it is included (remotely hosted), or just being hacked into the JS Console by someone who's "inspected my elements" and trying to pull a fast one?
Thanks in advance...
Danny
There really is no way of telling between either of them, but you can make the job much harder to do.
But since you say that 'it won't start wars', working off of that, there are a few ways of 'securing' it.
Step 1 : Creating 'Verification' calls
If you aren't already, the very first step would be to implement a few preliminary AJAX calls that retrieve certain variables which are later used in the calls that follow, for example:
Call #1 Retrieves Security-Token
Call #2 Creates a cookie Security-Token-2
Call #3 Call to your php script with Security-Token encrypted with Security-Token-2
What your page would then do, would decrypt the sent text with the 'token' stored in the cookie and use that.
Step 2 : Adding extra logic into javascript
You can add some encoding-decoding logic into the javascript,
I'm not saying this is going to be hard to break, but It might be tough, especially if you obfuscate your code (We all know obfuscation is no good, but bear with me)
Step 3 : Don't keep any names
Another thing you can do is remove all the names from the AJAX variables, or better yet, the names can be different every time.
If you want to go even further, you can encrypt the names, and plus to the encryption add a component of randomness by introducing an IV, and storing the IV in the cookies (maybe even encoded for added security).
(EDIT) Found the 'dynamic name generation' solution I was looking for:
Dynamic Field Names in PHP
The solution was initially designed to fight spambots which 'autofill' certain fields, and if the field names look random it doesn't know which fields are 'traps', however you could use it to generate the names for your AJAX calls.
In the end though, it is always possible to crack, all one needs is enough time and money.
This is a youtube guide by phpcademy (now codecourse) that throughly explains how to prevent CSRF (Cross Site Request Forgery) in PHP.
It involves generating a new random token every time a form is submitted.
Afterwards you check if a token has been posted. If not, the request is not authentic.
EDIT: you needn't be worried about people seeing the token when inspecting the page, as you have your own (server side) way of validating your token.
Let's say a website needs to pull information from a specific table in a database based on a user's menu selection. That table's data is then fed into some JS equations and thrown onto the page.
What is the best way to go about pulling that table's information? I've read that trying to access an SQL database via JavaScript is bad practice, so is there another way to do this? I know about PHP's json_encode, but I guess I'm not entirely sure
What the syntax is if I'm calling PHP from a JS script, and
If that's 'best' practice. Still relatively new to this, so I'd like to do this right.
Another option as far as I'm concerned is attempting to pull ALL of the possible tables (not a security concern) at once on page load. I expect that'd introduce a good deal of latency, though.
It looks to me that you are not really sure what technique to use. Here are some options. I'm not going to type them here because, there is enough to find about each one:
plain php: w3schools
pure ajax call: stackoverflow
jquery: jquery
Ajax calls are more user friendly and many times more efficient because, you don't have to refresh the page. I usually get all information at once( as long your mysql data is not to big). As for security: You use php either way so it doesn't matter if you use Ajax or not. Oh and don't select valuable data of users data (like password or their emails). I hope you get more overview after this :)
So I have a game written in HTML5 which is all fine and dandy. At the end of the game there is a score the player recieves. I want my game to send me how many people have a score of atleast 100 or above. I need this statistic to balance out the game accordingly.
I was thinking I could make a txt file in a dropbox account and make the game edit the file.
Now pls dont tell me about security issues I am aware that they can change their score in the javascript console which sends false data.
How do I go about solving this simple task? I just need a way to tell how many people are getting a score of 100 or above from my game.
Thanks !!!
You will probably need to use a server-side language such as PHP to write to a remote file.
You will want to javascript something simple that when the the score is >100 (or whatever your threshold is) you would do a simple (probably ajax) query to a server.
While plenty of people are telling you to create a server-side app, if you do not already have a server, there are simpler ways to go. For example I believe google spreadsheets has an api or even better you could use something like Parse Data which is a free database-as-a-service with a simple javascript API and intended just for that purpose.
On the other hand, if you DO have a server but don't feel like setting up a full programming language to respond to API calls (which is NOT terribly hard by the way), you could use the server log. Whenever the user hits 100 points for example create a little invisible <img src="http://yoursite.com/i-got-over-100" height=1 width=1 style="position: absolute, left: -10000" /> then just check your server logs for how much i-got-over-100 was hit.