I am using the below javascript to load the captcha in my site. This is working fine.But in my first login it defaultly show the number "5AbD". How can i change it.
http://wiki.asp.net/page.aspx/1369/simple-captcha-code-in-javascript/
I user the above link javascrtipt. I can't able to post this script here..
You dont provide many details, but often something like this is related to a random number being generated every time with the same seed. If you rolled your own captcha I would look into how you are generating the string. Commonly one passes the system tick count as the random number seed.
Otherwise, you don't really provide enough information for anyone to give a helpful answer.
Edit:
1) After seeing your code, first I want to say that as captcha this is extremely flawed. The whole point is that a bot cant determine the code and automatically enter it. This is why they are usually images generated on the server. It is difficult to extract the value from an image.
2) It is showing the same value every time because you have not coded it otherwise. You are literally starting with the same -hard coded- value and modifying that. Look into the Math.random() function for generating a random number for the initial value instead of hard coding that. But, referencing point #1, I would scrap this whole javascript thing altogether because as captcha it's useless because a bot could just grab the value of that control and fill out the form with it.
3) The steps for implementing captcha are usually something like: generate the random string on the server, save that string to session, generate an image with that string (with some noise/font funkiness to prevent an image processor from easily being able to read the text), then display the image on the page. The actual string value never leaves the server. When the form is submitted, you just compare the user value with the value you previously stored in the session. But rather than go through all of that (unless the whole point is as a learning exercise), you might think about using any of the pre-made captcha controls such as recaptcha, etc. Either way, look into the random number function, because as long as you are always starting with the same hard coded values then you will always get the same result.
Related
Lets assume I have a Form which has 3 input fields:
gross amount
value added tax rate
net amount
The user can fill out the gross amount and the value added tax rate field. The net amount field is set readonly.
Now I want to save time and increase permformance by let javascript calculate the net amount and fill the required field and pass this value to the database.
The only thing I would check is if the net amount field is empty e.g. with Symfony NotBlank constraint.
Is this bad or bad practice to take the javascript calculated values?
Never trust the user. Do everything you can on serverside, even if you've already done it on clientside - especially not a trivially simple calculation like that that will not save you almost any time on serverside.
EDIT: Unless, as Sharky says, you don't actually care about the two other values, and are providing the calculation only as a courtesy to the user. In this case, net value is the real input field - even if it is technically readonly. Validate it and store it as such, and don't even bother transmitting the other two.
There are three dangers here:
Malicious code injection
This occurs by displaying something a user entered directly back onto the screen or another screen where the user has tampered with the data. For example, a user is asked for their name and types <script>alert('You got hacked!');</script> instead of their name. Every user that views their profile will see this code, and if you don't check, it is possible it will execute it on every person's machine that looks.
This would happen if you had a page in the system that displayed the user entered data back without checking it first, in your case perhaps a page that displays the current values from the database.
You can avoid this situation by sanitising what the user types in, or by checking it on the way out of the database.
For your situation though, if you store the values in the database as numbers instead of strings, then you won't have a problem.
Manipulating values in javascript
You have a much bigger problem though, and that is that you should perform calcuations on the server side. It is possible for the user to manipulate the value of the net amount and send anything they want to the database.
If a user is buying something from an online store, for example, and they add 5 items to their basket costing £1.00 each, then if you calculate the total in javascript (£5.00) and submit and store that, it is possible for the user to edit it and change the total to £0 and get the items for free.
For security you should of course calculate the cost on the server, and use values that you personally retrieve from the database - don't re-use any data sent from the user in the backend because they could also edit the individual item cost to £0 as well.
Javascript number accuracy
Just as a bonus, you should also be aware that your front end and back end may calculate values differently when you're adding and multiplying numbers together. Consider this code:
var total = 0.3 - 0.2;
If you expect total to be 0.1, you're wrong - the answer is something like 0.99999999998.
Javascript doesn't handle floating point numbers very accurately.
I would like to create order number (following) in header, which would create automatically for each different opening the file by customer. Can I achieve this by using some functions in JS? or another? In attached screen this number should generate in each opening file
I presume that you are using Acrobat Pro to create the PDF form.
The quick and easy way to do this is to auto generate an order number based on the current date and time. Create a text field in your form (I've called mine "ordernumber"), double click it and go to the calculate tab then insert the following two lines into the custom calculation script box:
f = this.getField("ordernumber");
f.value = util.printd("yyyy/ddmm/hhmmss", new Date());
This will give you a unique order code (unless someone creates two orders in the same second!). You can change around the year (yyyy), day (dd), etc to make something that you like as a format.
If the order number needs to conform to an existing format or align with other systems then you would need to get the PDF to access an external database or something like that which would be a bit more complicated and beyond my knowledge.
It depends on whether your order number has to be unique only, or whether order numbers have to be consecutive.
In the first case, #Chris' answer pretty much gives the solution; you may be fiddling around with the base data, but that's it.
If the number has to be consecutive, there is a possibility if the use of the form can be limited to one single computer. In this case, you would create a Persistent Global Variable (which is a variable that is written back to the system, and can be reused the next time you open the document). See Acrobat JavaScript documentation for code samples. When you open the document, you read in that number, increment it and feed it into your order number field, and write it back.
If the number has to be consecutive, and the order form is used by several users, you will have to maintain the order number externally (which means, on a server). In this case, it might be even better to have a server-side order management, where the user may enter some base data, and then gets the prefilled order form made available.
consider I want to make a multiple step registration form with Javascript(e.g. Angular) and I don't want to do some ajax before all steps are completely done.
I've thought may be executing a function in Javascript which take user email as an argument which determine whether email exist in database or not.
but actually I don't want my function to do Ajax call.
consider each time a user is registered in database this algorithm should be updated.
it's a little hard to say but I mean there should be an algorithm which determines an item exists or not without having items. (I know it seems a little silly. but actually its not).
you get all items from database once and with knowing all items you write an algorithm which determines whether an given item exist in database or not without knowing database items.
consider log in process system can determine whether user password is correct or not without knowing user password . system just knows some thing about user password (hash or md5 or ...)
so we can here execute a function on our existing user table and get some values and strings or ... and with these values we can detect whether user email already exist in database or not without knowing all items.
one of the reasons which I'm asking question is performance issues(consider user table with so many records.) and the second reason is just to be fancy :)
Generate a hash from the email address. Suppose the hash is a 20-bit value (just take the bottom 20 bits of md5 hash, for example). That means you need a 128K byte table where each bit is either 0 or 1 depending on whether there is an email which hashes to that value. You can easily check for an email present by generating the hash and looking it up in the table. A 1 means either the email is used or there is a hash collision. A 0 guarantees the email was not used at the time the table was generated. To reduce the chance of a collision, make sure the number of bits in the table is much larger than the number of users. 20 bits gives 1 million hash buckets.
So for every request you are going to build a custom response script containgn your entire dataset and send it back to the client for checking? Leaving aside the integrity problem if you don't check the email address sent back from the client and the need to hash the data to prevent disclosure, this is not going to scale well. It will work really quickly with 10s or even 100s of rows but it won't work for 10s of thousands of rows.
I'm creating a website, that has a button, I want it to work in such way that whenever someone clicks it a number is increased by one, I want this number not to be reset when the page is refreshed or accessed from somewhere else.
Please help me with a sample code... Im a beginner
As mentioned by #SLaks, you will need some method of storing this counter on the server - otherwise there is no way for a page request to know how many times it has been called before. To do this you will need both:
Server-side code to read the value and display it to the user, and also to update the value when the page is requested the next time, and
Server-side storage to actually hold the counter value.
One possible solution to this (without adding a huge amount of additional complexity) would be to use PHP to read/write the counter, and a simple text file to hold the value. There are other ways, but may make things a bit too hard (i.e. no need for a database to hold one value).
I want to write a little game where the users has to click on appearing elements/objects in a given time. In detail the objects appears in holes onto the ground and after x seconds the objects disappear. The gamer has y lifes and all clicks gets counted until he lost the game.
After that his highscore gets posted to a database (via form post or AJAX). Long story short how can I avoid the user faking his highscore before sending? The program language is JS.
I know its not possible to hide all the code and make it not hack-able. But I think it's enough if the code is so difficult that the user has to do a lot of work to understand where he has to intervent to send faked data.
Has anybody some ideas howto make the code as difficult as its possible?
Thanks in advance for any ideas :)
You should never really try to make your source code unreadable. It will make as great a headache for yourself than any obstruction to anyone modifying it.
That said, you could refactor all your variable names to complete gibberish and play with whitespace, but anyone seriously trying to understand your code could revert that in a decent text editor. To make it any more complex would take away from the efficiency of your program - otherwise you could fill it with useless calls to functions that don't do anything and strange incrementation of counters that the program does not depend on.
there are compressors that do exact the job you want! Some of them can be downloaded and used as offline tools, some are directly via web accessible:
http://javascriptcompressor.com
like jquery and others you can use your code to maintain the scripts and deliver a faster loadable packed version that is hardly readable
How about this:
Create two PHP pages, with one containing the game interface and the other containing the game's code. Program the first one so that it creates a one-time-use string that the tag will pass along as a parameter when it calls the JS code from the second one. Program the second one so it checks the validity of the string sent. If the string is valid, the script should output the JS code, then invalidate the string.
Then, when the user copies the URL of the script, pastes it into his browser, and hits "Return," all he sees is either a blank page or a "not authorized" message.