How to check is the form has not been "attacked" [closed] - javascript

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
I have to make some custom forms,
the thing is, I will need to use JavaScript to make them, here is a little image :
It's like a select, but in a carousel, so, I can know what items is selected, the thing is, I need to calculate a price over fields like that, and people can like, spoof the system, and just change the active element, make the element the cheapest with the element they really took, maybe the more expensive you see ?
But how can I ensure that the user didn't changed anything, I guess it will be an Ajax to ensure the information in the server, because they can't change anything on the server, but in the server how can I send the good data if the user spoofed it ? Maybe I could add on the HTML something like : data-server-element: 1, data-server-price = 50. But the data-server-price will only be here to calculate the price with Javascript and I would have an array in my server side which will tell me : data-server-element : 1 ====> 50. So if he change the data-server-price, he will pay the real price. But if he change the data-server-element he can do anything he want, I see how to resolve a problem, but that resolve add some more problems. I am certainly wrong in the process and in the logic, which is why I am calling on you to find out, because I cannot afford to let someone pay less than they should.
Thanks for your help.
(Maybe this question is already here on StackOverflow, but I didn't find out an answer that could help me, If so, I apologize, usually I do some research before I ask a question here)

You can't trust anything that happens in the browser.
If you want a different price for different regions, calculate it on the server and send it back to the browser to show the user.
However do not use this price when the user submits the form. Recalculate the price on your server then use that.
There is no way to stop the user from changing anything or everything in the web page or the data that they send back to you. Never trust anything you get from the browser.

It's great that you've realized this! A lot of people don't, and we get horribly insecure webpages. In fact, you can take the idea even further - an evil hacker will probably not bother with your webpage and javascript at all. They will just make their own HTTP request from scratch with all the fields set to whatever they please.
There really is only one solution to this and you've also come up with it yourself - you need to validate and re-calculate everything on the server side. Just take the basic data (like which choices he selected) and go from there. You can even make your form in such a way that it doesn't bother sending the calculation results that were done client side. You can't rely on them anyway. They're only good for the convenience of the legitimate users.

Related

How to use programming logic (e.g. JS) on Google Forms?

Ok, maybe this question is not extremely well-formulated, but I have a problem and I want to solve it, hence the existence of this question. There is a Google Forms form in which, in its current state, users answer questions and, after they have answered such questions, they themselves have to compute their results (a simple algorithm) (it's, to be precise, it's a Vark-style questionnaire (not that it matters)). That is cumbersome and prone to error, so I am in charge of making the form itself compute the thing and show it to the user afterwards.
So I figured I just gotta be able to program an output based on inputs of Google Forms. Such an output would ideally dinamically change on the screen (as the user changes his answers), but it can also be shown after the questionnaire has been answered. What is the way to go? I searched a bit about it and it seems one could use Google App Scripts to make an add-on for forms... Is this overkill or the way to go?
Thanks!
There is already an inbuilt system as to where the Google Forms form calculates the score. However, there is a catch , the questions need to be in MCQ format .

Uncovering a hidden link [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I'm a complete layman and despite my utmost attempts (involving visiting about 100 different pages), I wasn't able to solve my problem. I'd be really grateful if anyone would be willing to help me out.
Say there is an elaborate website using Javascript, where you register, have your own profile etc. It asks you to register for one of a few time slots. You do it by clicking a hyperlink, which has this annoying feature (discussed elsewhere on this website, see here: how can url be hidden in hyperlink when mouse hover ) that it hides the link. Is there a way to uncover it?
By uncover I mean a way in which I would be able to register for a given time slot without clicking the hyperlink, but rather via copying that hidden link (or typing it in) to the address bar of the browser. I have tried using Firebug and Tamper Data, but to no success. Both programmes provided me with viable candidates for links, but when I copied them to address bar and pressed enter, it didn't result in a registration for a given time slot.
Finally, Tamper Data tells me that 'Content-Type=application/x-www-form-urlencoded', whereas Firebug indicates that 'enctype="multipart/form-data" right above the table with hyperlinks, so I begin to think there is some sort of encryption in place which is meant to prevent me from getting what I want. And I'm sure owners of this website would want to prevent me, but are they able to do it?
So all in all, is it even doable? Apologies if this all sounds too broad, I'll be more than happy to make it (or at least try to make it) more clear.
Thanks a lot and apologies, but I really don't know what I'm doing here.
As Yang Li said: it depends.
If a website is using a lot of javascript to perform on screen changes and network requests, the likelihood of you being able to just use a URL (even if it is the url used by a javascript script) to perform an action is low.
Most websites these days that rely on javascript would have data elements hidden to the user which may affect the way an action is relayed to the server. Think hidden form elements.
And on the server side, who is to say that the order you are trying to use that URL in is correct? You would have to run through the code piece by piece, along with observing the network requests to be certain.
So in answer to your question, it MAY be doable. The more important questions is: is it advisable? I would suggest not tampering too much with the way the website works on your browser, as it was intended to be used in a certian way. You can't be sure of all of the side effects of using it in an unintended fashion.

Prevent user from copying URL from address bar [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I've looked around everywhere and it seems like there's no way of accomplishing what I need to do, but I thought I'd ask to see if anyone could think of a workaround.
I have this portal (intranet) where users can send some posts to their friends and family (job openings, basically), there's a link to send those by email, however users are copying the URL and sending it via email or texts, this URL however contains internal links that we don't want to be visible to others outside the company (yes they need a login anyway, but heads of IT are concerned)
We first thought of hiding the URL but as I understand, all browsers have disabled this option for a while now for security reasons (even IE since IE7).
The only other thing I could think of was to somehow prevent the users from copying the URL, sort of like a "readonly" or "disabled" text input, but haven't been able to find a way... I assume it cannot be done since the address bar is not actually within the site, therefore out of JavaScript control.
Can you guys think of any other workaround?
you can use history.pushState() to set the url bar to something that doesn't give away secrets. for example, run this in the console:
history.pushState(null, null, "/");
After running, it now looks like you're on the stack home page, even though you are still on /questions/26537657/prevent-user-from-copying-url-from-address-bar/. it won't stop hackers, but it will prevent naive users from spilling the beans. you can use this to compose vanity urls as well as short ones. just make sure the server knows what to do with any url you generate because when you return via that url, it uses the server, and thus it will need to produce something meaningful.
edit: as kindly pointed out in comments, history.pushState() create a new history entry. this might not be what you want if this page will papear mid-workflow, as opposed to a popup or other end destination. Uf that's the case, you should use it's non-creating counterpart:
history.replaceState(null, null, "/");
That will just replace your current url in the address bar, without creating a new entry, so that back goes back.
There seems to be some confusion about pushState's implications on security. there is no such thing in client-side code. It bears repeating: "this won't stop hackers", it will just provides shorter bookmark-able URL to your users and prevent them from worrying the IT dept, regardless of the merits of IT's discomfort.

Fast managing of tables with ~10k rows in Javascript [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
I've been working with tables and a huge amount of data. There are a tables in my website with 10 thousand rows. This table has dynamic search, filters, etc. I've been using pure JavaScript considering performance, but it gets laggy with this amount of rows.
Do you guys know any alternative for pure JavaScript with better performance?
EDIT> I REALLY need to load the 10 thousand rows at once. I can load them all in the browser in 5 seconds. The main problems are the filters and search...
EDIT2> The search is dynamic. I can search by name and filter it by first character.
I've been working on it for months...
SEARCH:
search when the field has more than 3 characters and only when its length and characters has changed (onchange event on input may trigger multiple times when a character changes, so I make sure it only triggers once using some verifications)
each row that matches the searched string is coppied to another table. The original table is hidden and the new one is displayed.
when the user changes the search field or cancel the dynamic search, the new table is erased.
Conclusion: it's faster to create a new table with desired elements than hide the undesired ones.
FITLER
The rows are actually in 25 tables (A to Z + non-alphabetical characters)
When you select a character, only that table is shown
Conclusion: it's faster to hide a whole table than hide the
undesired rows
Thanks for the repplies. I've edited with some extra info so we can narrow the possible solutions...
I'm asuming you get the contents from database and load with with something like PHP (I'm going to asume PHP for now)
You could make the Javascript make an ajaxcall to a php-file which does the filtering (actually you should make the database do it, a lot faster!) and place the resulting table back on screen.
A faster method combined with the above might be this: Get all id's on the initial rows in an array and save those (in a session might work pleasant).
When you have to filter, don't make PHP get the whole table, just apply the filter to only the stored id's and send javascript the matching rows.
Then make javascript do something like this:
- set all visible
- set resulting id's to hidden (hidden in favor of remove, because I think a user might perform multiple filter actions?)
Another idea just popped in my head: If you don't need to display it on load, you can start the initial load with all tables hidden and a message "please search to display".
A common technique to handle this case is to load the data in memory or a subset of the data, and recycle your table rows such that you aren't actually ever creating thousands upon thousands of rows. You can get creative with this and create a web interface that seemingly scrolls endlessly but in reality you are just reusing dom elements and shuffling them around.
Most well-built data grid widgets whether they are on the web, mobile or even a desktop interface will employ this technique to handle your particular problem.
In most cases a user will never actually find themselves benefiting from seeing 10's of thousands of rows of data at once anyway.
fetch from the server only the things to be seen by the user, Like everyone has pointed out 10,000 rows needn't be there on that page.
you can use the concept of pagination and for every page few rows are fetched and shown . JQuery's Ajax is capable of calling the server side function to fetch rows to add them to your page.
don't know any backend details here, but in struts framework there is display:table tag and I believe in .NET framework there is GridView for pagination in the client side that you can look into
I'm just a student, newly joined to the community. Take what I say with a grain of salt.
I'm not sure why everyone is so much as blinking at the ten thousand rows business when we're measuring modern personal computers' memory in gigabytes.
Alright. I'm going to assume that what you're doing needs to be done in the browser, and so you can't switch to doing native code. In that case, looking for an alternative to Javascript won't get you much of anywhere. In the context of a browser, you're looking at an interpreted language. In terms of number of instructions the program ultimately has to run, the difference between one language or another is negligible in the face of how long it takes to be interpreted. Besides, Javascript has gotten nicely polished over the years.
So never mind that. There's a much more important thing to consider here, and it applies no matter what you're programming in or on: The cache(s). Igor Ostrovsky explains it beautifully; read it until you grok it.
So I'm guessing you have objects that would stringify to something like, "obj1 = {field-1:'a', field-2:'b', ..., field-n:'n'}". And you can select a field-i to sort by. The trouble with this is that when you sort by field-i, you're loading the entirety of obj1 into the cache, even though you don't need it. What you really want to do is load the field-i's forobj1, obj2, obj3, ..., objm all at once. So you look at an array, stringifying to something like: "field1 = [refToRow1, field1inRow1, refToRow2, field1inRow2, ..., refToRowM, field1inRowM]".
You might not be able to do fit all M rows in the cache, after all M==10000! But you can group them together into chunks that you could reasonably expect a cache to manage. Anyone got a good number for this? Say, 64kB? So you figure for each i in M you've got a reference, and a field that's probably just a reference to a short string (it'd be better if you could have the string itself right there, but I don't think Javascript works that way). So that's 8B? 8B*1024 = 64kB? Hell, if that's right, you could fit it all into the cache in two chunks, which means you'd want to do it in 4.
So now you've got a collection of smaller arrays, and you want to sort them. This is a classic application for B-trees. And while having a separate B-tree for each and every column in the table may seem like a lot, it's not.
Okay, so that handles sorting. You tell it to sort by a column, and the truth is it's already sorted! You're just repopulating the visible table using a different b-tree. You still need to handle filtering, but that's fine. You do some cache juggling as you find something to display and follow the reference to get the other fields, but I'd still expect this to go fast since you're skipping over so many rows.
Normally, I would say if you want to speed things up, look into multiprocessing. But I think browsers are still working to make that a thing with their Javascript implementations. Plus, while it would be well-suited for sorting, it would be a lot of effort to make it useful for the filtering part, and I expect you can do fine without.
I hope this isn't too scatter-brained, and that it gives you some ideas. Good luck!

Best way to ask confirmation from user before leaving the page [closed]

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 11 years ago.
I am currently building a registration page where if the user leaves, I want to pop up a CSS box asking him if he is sure or not. I can accomplish this feat using confirm boxes, but the client says that they are too ugly. I've tried using unload and beforeunload, but both cannot stop the page from being redirected. Using those to events, I return false, so maybe there's a way to cancel other than returning false?
Another solution that I've had was redirecting them to another page that has my popup, but the problem with that is that if they do want to leave the page, and it wasn't a mistake, they lose the page they were originally trying to go to. If I was a user, that would irritate me.
The last solution was real popup window. The only thing I don't like about that is that the main winow will have their destination page while the pop will have my page. In my opinion it looks disjoint. On top of that, I'd be worried about popup blockers.
Just to add to everyones comments. I understand that it is irritating to prevent users from exiting the page, and in my opinion it should not be done. Right now I am using a confirm box at this point. What happens is that it's not actually "preventing" the user from leaving, what the client actually wants to do is make a suggestion if the user is having doubts about registering. If the user is halfway through the registraiton process and leaves for some reason, the client wants to offer the user a free coupon to a seminar (this client is selling seminars) to hopefully persuade the user to register. The client is under the impression that since the user is already on the form, he is thinking of registering, and therefore maybe a seminar of what he is registering for would be the final push to get the user to register. Ideally I don't have to prevent the user from leaving, what would be just as good, and in my opinion better is if I can pause the unload process. Maybe a sleep command? I don't really have to keep the user on the page because either way they will be leaving to go to a different page.
Also, as people have stated, this is a terriable title, so if someone knows a better one, I'd really appreciate it if they could change the title to something no so spammer inviting.
As soon as I saw the words "prevent the user" I started to wail in agony. Never prevent the user, only help them.
If they see your registration page and run off, that's their choice. Pop up a javascript confirm box if they've already filled in some data (because they might be navigating away accidentally) but leave it at that. If they haven't touched the form, leave them alone - they don't want to fill in your form.
Look at other methods of engaging users. If your form is huge and scary, break it into simple manageable chunks or better yet, simplify things so much that the user only gives you data when you need it. For example, you might not need their address until you want to post something to them.
By breaking it into multiple parts you can hook them with a simple form and once they've invested that time, they'll be more likely to continue the process.
But don't harass users. If they don't want to register, pestering them with pop-ups and jaavscript dialogues will just chase them off the site completely.
With that in mind, assuming you're just trying to stop people half-filling-in forms, there are a couple of options to genuinely help people:
Detect if the form has changed and ask them a simple confirm() message.
This is all you can do. A CSS "pop-in" just won't work because you can't control* the window location in the unload event.
*You can put an event listener on all your page's links to fire off something to check the form, but this only helps if the user clicks on one of those links. It won't help if, for example, the user clicks back or closes the window. You could do both CSS and javascript but you end up with a bit of a mess.
Persist the state of the form behind the scenes.
An extension to #1. Instead of squabbling with the user, let them go where they want but save the content of the form either to session or cookie (if it'll fit) and put something on the page (like SO's orange prompt bars at the top of the page) that reminds them that they've started filling in a form and gives them a link back to the form.
When they click that link, you load the data out of the cookie (or session) back into the form and let them carry on. This has the clear benefit of letting them do what they like on your site and keeps the data safe.. ish.
If they don't come back and their cookie/session expire, that's their fault. You can only lead a horse to water. It's not your job to force it to drink.
Don't do it.
But if you want, try this. Record mouse positions and detect a quick upward thrust -- the user is reaching for the BIG X or the top left or top right. Now might be your chance for an unobtrusive box in the screen.
I've seen this implement on the web and it is evil.
If you want to trap links, you could rewrite the links in the page to go to a "you really want to leave?" javascript function, passing the destination URL as an argument.
If you wanna keep users from using their "Back" button, or keep them from putting another URL in the address bar, stop. Stop now. (1) Browsers were made to prevent exactly that kind of obnoxious behavior, and (2) Even if they allowed it, see the last two words of (1). It's freaking rude. Your site is not that special, no matter how cool you think it is.
window.onbeforeunload = function() { return "Message"; };
Use a JavaScript like this to display a leave confirmation message.
Here are just a couple of approaches I could think of but they are not without flaw:
Whatcha Gonna Do technique
Detect the mouse position going towards the edges of the browser as the user might be going to close the tab, window, go back, navigate elsewhere among other things. If so, immediately prompt them that that may be a mistake and they are going to lose out on something very valuable. However, the catch here is that you don't know for sure what their intentions were and you might piss them off with that popup. Also, they might use a bunch of shortcuts such as Ctrl+W etc to do the same.
You've Got Mail technique
If you've managed to get hold of the user's email address before they closed the page, you've hit a jackpot. As soon as the user types anything into the email box and then leaves it, immediately send it to the server using AJAX. Save the state of the page into localStorage or on the server using a cookie or something so it can be recreated later. Every couple of hours send them an email giving them a direct link to the previously saved form, and maybe with special offers this time.
History Repeats Itself technique
Then there's the infamous history manipulation where you keep stacking the current page into the document history so the back button renders effectively worthless.
Don't Put All Your Eggs In One Basket technique
Another technique off the top of my head is to create multiple windows in the background with the registration form and keep them all in sync when any the fields in any one changes. This is a classical technique and really puts the "don't put all your eggs in one basket" saying into real-life usage.
Another advantage of this awesome technique is even if the user closes one of the windows, and later comes across an identical cloned window with all the fields they filled up-to-date populated, they might get confused and think that they never closed the page. And guess what, this time they might just go ahead and fill out the registration form. But you have to be cautious with this as anything more than 2 or 3 clones will make it obvious as to what's going on.
You're Winner technique
Another technique is to tell every user they they are the Xth visitor on the site and use a good rounded number for X such as 1000, 10000, 50000, etc. Tell them that they can claim their prize once they register on the site. Imagine how special each user feels when they land on your site. The prize doesn't have to be anything tangible, it can simply be free coupons that you find on the intertubes.
Where Do You Want To Go Today? technique 1
This is basically a rip-off of your answer. Use document.location.href = 'some url' inside your onbeforeunload callback to navigate to a different page before it is unloaded.
1 Firefox only.
Note: there is no silver bullet solution here unless you write your own browser with your own security policies, but these are all optimizations that you can do to make it utterly impossible for users to leave.
Not all browsers support a modal popup, without which your page would go ahead and navigate anyway.
This is real awful requirement. The sort of requirement that is reasonable in a desktop application but entire unreasonable feature of a web site. Imagine being unable to leave a website.
The answer is either use the horrible confirm box and lump it. Or don't ask the user to enter too much data per page. Use a step by step wizard style data entry, the loss due to accidental navigation is minimised.
You can change the Value of the url using document.location.href = "www.website.com"
I can accomplish this feat using confirm boxes, but the client says that they are too ugly.
If the problem is the ugliness of the standard JS popup boxes, try something like this: http://www.sohtanaka.com/web-design/inline-modal-window-w-css-and-jquery/
Apart from that I second what most people are saying: do this with extreme caution if you don't want to lose users.

Categories