0

I'm protecting my html form using javascript because my users can just change the input values and I want to check if the input value is equal to the random generated number. I'm using an if/else statement and the if else statement isn't working.

var pokeid = '+res.id+'; //generates random id
var html = '';
html += '<form id="myForm" action="myurl.net" method="post">';
html += '    <input type="hidden" id="goid" name="goid" value="'+res.id+'" >';
html += '    <input type="hidden" name="level" value="'+res.level+'" />';
html += '    <input value="Battle!" class="button" onclick="myFunction()" />';

</script>

<script type= "text/javascript">

function myFunction()
{

if (pokeid != document.getElementById("goid").value; ) {

window.location = '("http://www.myurl.net/index.php")';

}else{
document.getElementById("myForm").submit();

}

}

</script>
Improve this question
2
  • Have you not noticed the syntax error reported for that stray semicolon? Commented May 13, 2014 at 21:51
  • 1
    You do realise that a user can just as easily set pokeid = 12345 in their console, right? Commented May 13, 2014 at 21:51

2 Answers 2

Reset to default
2

There is NO security in JavaScript. All validation must be done on the server. Nothing else can be trusted.

That aside, you have a stray semicolon in the if statement, and your window.location assignment should just be a URL. Not those weird parentheses, quotes... things.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

This is a very relevant article that you should read before you proceed with any client side verification.

"Do not rely on client side validation to validate the user input. Client side validation is great for helping the user input correct data. But a malicious user will not use this and could bypass the client side validation. Client side validate is should never be considered as a security fix. Using javascript to validate input should not be used. As you can see javascript is very easy to change and modify on any html page."

Src: "http://www.testingsecurity.com/how-to-test/injection-vulnerabilities/Javascript-Injection"

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.