3

I will put this post into paragraphs to make it easier reffering to specific content.

  1. I have made a simple button in html that plusses a number with 1 everytime the button is pressed. This function is made in Javascript. This number has to be put into the database every 20 seconds.

  2. Since Javascript is running on the client side, every visiter will be able to change the current number of times the button is pressed, and that "fake" number will then be sent to the database after 20 seconds.

  3. The user should not be able to change this number, because it's considered cheating.

  4. I could use other languages to complete this like java, flash etc. but I need to make it working with Javascript/Jquery that runs on the client side. The reason for this is that it will take too hard on the server if there is sent a request to the server everytime to button is pressed.

I hope you understand all 4 steps, if not please let me know which step I shall deepen.

Question: How can I make a secure way of processing a number from the client-side to the database without the user being able to change that number on their computer? If I can't, any other suggestions?

Thanks in advance.

Improve this question
1
  • 1
    even if it were possible, the user could still simulate some thousands of button clicks via javascript. Commented Mar 26, 2013 at 12:33

2 Answers 2

Reset to default
1

First of all, your counter should be on your server. Don't let the client side tell you how many times the button has been pressed - store this yourself on the server (where no one can reach).

This will mean that you'll have to notify the server every time the user clicks the button. Furthermore, you'll need to make sure that each "click" is valid. You could do this by attaching a unique key to each of the buttons clicks. As soon as the user clicks the button, this key will be sent to the sever and validated. If it is valid, the server will return a new key to be sent when the button is next clicked.

You should be aware that it is very VERY easy to write a short jQuery script to manipulate clicks on DOM elements though. A command as simple as 

setInterval(function(){
  $('button').trigger('click');
},500);

Would trigger a click event on the button every 500 milliseconds (0.5 seconds).

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

however, that will take the same amount of server capacity as making this in PHP wont it? There will be sent requests to the server everytime the button is pressed I suppose?
Yes there will - but if you want to "secure" this functionality - it will have to be like that. There is no way to secure client side code 100%.
oh okay I see thank you a lot, so you suggest that if I want to make it 100 % secure, I can use Ajax to update the clicks to the server?
Yes - that's my suggestion. But you'll have to make sure each ajax call is valid - as any user can just generate a whole bunch of ajax calls.
So each click has to be "unique"? with a ID that is specified in the database or something like that? Won't that take a long bunch of time for the database and server to do that?
|
1

Code that runs in JavaScript can't practically be protected against "cheating". Your best bet might be data hiding:

var myobj = (function() {
    var i = 0;

    return {
        function setI(newvalue) {
            // do checks here
            if (true) {
                i = newvalue;
            }
        },
        function sendI() {
            // send value of i
        }
    }
}());

myobj.setI(123);
myobj.sendI();
myobj.i // undefined

Moving the logic that prevents data tampering to the server is better though.

Improve this answer

5 Comments

Does this mean that the user cannot see the code? And is it still cheatable that way? I am struggeling with my server because it can't handle too many requests per second and that makes it hard to do it on the server since the website will send a request to the server everytime time the button is pressed
@Peter just makes it a bit harder to cheat, but it can still be circumvented unless that's managed by server-side.
I see, however, won't it take a lot of server capacity and speed to have a button updating on the server all the time? Imaging if there are about 100 users pressing it on pretty much the same time?
@peter I don't know, but you can benchmark it, using ab for instance. It might not be a problem.
@Peter it's Apache Bench. You can use it to load test your server. To be honest, I don't think you will have continuous heavy traffic but this tool will give you some idea.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.