Hi, I'm making a javascript program for rolling dice for a roleplaying
game that's played in a forum. The die roll gets generated, gets stored
as text in a hidden form field, and then gets written to the mySQL
database upon form submission.
What I want to do is prevent cheaters from being able to create their
own die roll, and the best way I've come up with to do this is to
encrypt what gets stored in the hidden form field. However, since all
javascript code can be viewed by the user, they can see what key I'm
using.
Any suggestions on what to use as a key that a user cannot get access
to? Data hard-coded into a java applet, perhaps? Even that might be
hackable by someone a tool capable of inspecting javascript variables
at run-time.
Is it simply impossible to prevent cheating if my code is in
javascript? There must be some way to secure hidden form fields to
insure that their content is code-produced only. Is there? Or is there
some other way to make a cheater-proof javascript die roller I haven't
thought of?
12  3132 
On 1 Jul 2006 16:00:37 -0700, go**********@he rbaloutfitters. com wrote:
Hi, I'm making a javascript program for rolling dice for a roleplaying
game that's played in a forum. The die roll gets generated, gets stored
as text in a hidden form field, and then gets written to the mySQL
database upon form submission.
What I want to do is prevent cheaters from being able to create their
own die roll, and the best way I've come up with to do this is to
encrypt what gets stored in the hidden form field. However, since all
javascript code can be viewed by the user, they can see what key I'm
using.
Any suggestions on what to use as a key that a user cannot get access
to? Data hard-coded into a java applet, perhaps? Even that might be
hackable by someone a tool capable of inspecting javascript variables
at run-time.
Any method of producing data on the client side can be hijacked; you need
to use server-side code here. If the user needs to be able to see the die
roll before submitting the form then you should generate it before
displaying the form and include it in the page (either storing the result
in the database so users can't change it, or using some one-way or
time-dependent cryptography so if they try to change it you can find out).
--
Safalra (Stephen Morley) http://www.safalra.com/programming/javascript/ go**********@he rbaloutfitters. com writes:
Hi, I'm making a javascript program for rolling dice for a roleplaying
game that's played in a forum. The die roll gets generated, gets stored
as text in a hidden form field, and then gets written to the mySQL
database upon form submission.
Bad choice. You are effectively making a client/server application
where the client is under the complete control of the user.
In that situation, you can not trust the client.
What I want to do is prevent cheaters from being able to create their
own die roll, and the best way I've come up with to do this is to
encrypt what gets stored in the hidden form field. However, since all
javascript code can be viewed by the user, they can see what key I'm
using.
Indeed. No matter what the browse does, the user can modify it to do
something else, like changing a call to Math.random to one always
returning 1.0.
Any suggestions on what to use as a key that a user cannot get access
to? Data hard-coded into a java applet, perhaps? Even that might be
hackable by someone a tool capable of inspecting javascript variables
at run-time.
Roll the dice on the server. It'a the only way to be sure[1]
Is it simply impossible to prevent cheating if my code is in
javascript?
Yes. More to the fact, it's impossible to prevent cheating when
the client genrates the random number directly.
You could make the client create a random number, and then offsetting
it by a number computed on the server, but then you could just
use the server generated number directly.
There must be some way to secure hidden form fields to
insure that their content is code-produced only. Is there?
There mustn't, and there isn't.
The security model of client side scripting allows full control
over the page, and even if not, any form submission can be faked
with a simple telnet connection.
Or is there some other way to make a cheater-proof javascript die
roller I haven't thought of?
Roll on the server, then send the number to the client as part of
the respons of the submission.
/L
[1] that, and nuking the site from orbit.
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleD OM.html>
'Faith without judgement merely degrades the spirit divine.' go**********@he rbaloutfitters. com wrote:
Hi, I'm making a javascript program for rolling dice for a roleplaying
game that's played in a forum. The die roll gets generated, gets
stored as text in a hidden form field, and then gets written to the
mySQL database upon form submission.
What I want to do is prevent cheaters from being able to create their
own die roll, and the best way I've come up with to do this is to
encrypt what gets stored in the hidden form field. However, since all
javascript code can be viewed by the user, they can see what key I'm
using.
Any suggestions on what to use as a key that a user cannot get access
to? Data hard-coded into a java applet, perhaps? Even that might be
hackable by someone a tool capable of inspecting javascript variables
at run-time.
Is it simply impossible to prevent cheating if my code is in
javascript? There must be some way to secure hidden form fields to
insure that their content is code-produced only. Is there? Or is there
some other way to make a cheater-proof javascript die roller I haven't
thought of?
Create a rollDice function on the server, and make an AJAX call from
the client.
The rollDice rolls and stores the value on the server in one go,
and just return the number of eyes to the client for display.
--
Dag.
Safalra <us****@safalra .comwrites:
If the user needs to be able to see the die roll before submitting
the form then you should generate it before displaying the form and
include it in the page (either storing the result in the database so
users can't change it, or using some one-way or time-dependent
cryptography so if they try to change it you can find out).
In a game situation, knowing the number ahead of deciding your action
is also bad. If you know that you will fail your first attack roll and
succeede the second, you'll save your wastly expensive and highly
effective magical arrow for the second attack.
Make the form contain the player's decissions and the respons contain
the results. It's both safer and muxh simpler than any convoluted attempt
at making the client safe.
/L
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleD OM.html>
'Faith without judgement merely degrades the spirit divine.'
Yep, here's one cheater-resistant way. The CHAP protocol uses a technique
to prevent such a man-in-the-middle attack. And using that, no, there's no
cleartext password exchanged over the wire.
Here's a cursory description of how: At each exchange, the server sends
(and remembers) a random string. The client hashes a concatenation of that
random value with the client's hashed password (cookie-stored) and sends
that. Which is compared server-side with the expected hash.
You'd use the result (hash of a hash) as the key to encrypt the die roll
info client side with some available symmetric key function (RC4 or 5, or
AES) before sending. Then, decrypt on receipt server-side.
Hash is MD5, and there's Paul Johnson's JS function available online.
Server-side, any languge processor will have an MD5 hash function available.
Poke around for the symmetric key function script for both sides.
AS
<go**********@h erbaloutfitters .comwrote in message
news:11******** *************@m 73g2000cwd.goog legroups.com...
Hi, I'm making a javascript program for rolling dice for a roleplaying
game that's played in a forum. The die roll gets generated, gets stored
as text in a hidden form field, and then gets written to the mySQL
database upon form submission.
What I want to do is prevent cheaters from being able to create their
own die roll, and the best way I've come up with to do this is to
encrypt what gets stored in the hidden form field. However, since all
javascript code can be viewed by the user, they can see what key I'm
using.
Any suggestions on what to use as a key that a user cannot get access
to? Data hard-coded into a java applet, perhaps? Even that might be
hackable by someone a tool capable of inspecting javascript variables
at run-time.
Is it simply impossible to prevent cheating if my code is in
javascript? There must be some way to secure hidden form fields to
insure that their content is code-produced only. Is there? Or is there
some other way to make a cheater-proof javascript die roller I haven't
thought of?
"Arnold Shore" <Nu***@away.far writes:
Yep, here's one cheater-resistant way.
Here's a cursory description of how: At each exchange, the server sends
(and remembers) a random string. The client hashes a concatenation of that
random value with the client's hashed password (cookie-stored) and sends
that. Which is compared server-side with the expected hash.
You'd use the result (hash of a hash) as the key to encrypt the die roll
info client side with some available symmetric key function (RC4 or 5, or
AES) before sending. Then, decrypt on receipt server-side.
But what prevents the player from fixing the die roll itself.
Secure transfer is not the problem, but preventing him from substituting
Math.random with function(){retu rn 1.0;} is.
/L
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleD OM.html>
'Faith without judgement merely degrades the spirit divine.'
Dag Sunde wrote:
Create a rollDice function on the server, and make an AJAX call from
the client.
This is exactly what I will do. I've never used AJAX before, hence the
attempt to do it client-side, but I just read up on AJAX and it looks
simple enough. Thank you! This is just what I needed, and thanks
everyone else--I learned a lot.
Kanon go**********@he rbaloutfitters. com writes:
This is exactly what I will do. I've never used AJAX before, hence the
attempt to do it client-side, but I just read up on AJAX and it looks
simple enough. Thank you! This is just what I needed, and thanks
everyone else--I learned a lot.
I question whether this actually solve your problem, but perhaps only
because the problem hasn't been stated precisely yet :)
Will successive server calls give the same result or different
results?
If the same results, why not just include the random number with
the original page.
If different results, what prevents the user from reloading until
he gets a good number?
/L
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleD OM.html>
'Faith without judgement merely degrades the spirit divine.'
Lasse Reichstein Nielsen wrote:
go**********@he rbaloutfitters. com writes:
>This is exactly what I will do. I've never used AJAX before, hence
the attempt to do it client-side, but I just read up on AJAX and it
looks simple enough. Thank you! This is just what I needed, and
thanks everyone else--I learned a lot.
I question whether this actually solve your problem, but perhaps only
because the problem hasn't been stated precisely yet :)
Will successive server calls give the same result or different
results?
If the same results, why not just include the random number with
the original page.
If different results, what prevents the user from reloading until
he gets a good number?
As long as he wanted to store it in a db serverside, he should have
no problems maintaining state during the session serverside.
--
Dag. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: MFC |
last post by:
Ok, after three C# books, (C# How to Program, Programming in the Key
of C#, and C# Weekend Crash Course) and three weeks, I believe I have
tried everything to make a certain form function correctly. I am
trying to learn C# after playing around for a bit with procedural
programming with PHP, not OOP, and believe I have learned quite a bit
in three weeks, just not enough to accomplish this one task.
If anyone has a bit of free time and...
|
by: Nemok |
last post by:
Hi,
I am trying to write an additive encryption algorithm in C++ that will
encrypt a text by adding a random numer to each character in a string.
The code looks similar to this:
for(int i=0;i<=tlength-1;i++)///tlength is the length of the string to
encrypt
{
ctext+=x+i;/////x is a random number and ctext is a char*
|
by: sweety |
last post by:
Dear All,
How to encrypt a C data file and make binary file and then have to read
a bin file at run time and decrypt the file and have to read the data.
Any help to achive this pls. Would be great if any sample source code
provided.
Thanks,
Sweety
|
by: jayender.vs |
last post by:
Well .. i have a text box .. and in that i will enter a letter say"A"
and in return there should be a message box saying the encrypted value
say "J".
In simple :
how to encrypt a letter in Javascript...???
thanks,
Jayender
|
by: Eduardo F. Sandino |
last post by:
Any one knows how to encrypt javascript code... other way than escape()
and unescape() [not is encrypt but a way to protect source code ????
| | |
by: rocknbil |
last post by:
Hello everyone! I'm new here but have been programming for the web in various languages for 15 years or so. I'm certainly no "expert" but can keep myself out of trouble (or in it?) most of the time.
This particular problem has plagued me for years; it is making me very, very, old. :-( It deals with the way Javascript's method of floating point precision takes the simplest math calculations and steals a penny - in the example below, a simple...
|
by: ChillyRoll |
last post by:
Hello guys,
I am looking for a parser in PHP that can return all the
attributes of XML entities. I know how to read the XML Entities, but I
have got a problem with reading attributes. So I will appreciate if you
could give a parser that can return all the Entities and Attributes of
respective entities as an array.
For e.g.:
<?xml version="1.0" ?>
|
by: manmit.walia |
last post by:
Hello Everyone,
Long time ago, I posted a small problem I had about converting a VB6
program to C#. Well with the help with everyone I got it converted.
But I overlooked something and don't understand why it is doing this.
Below is my code, I would be greatfull if someone can guide me through
the right path or even help me solve this issue.
Problem: The old tool which was written in VB6 works perfect. But I
needed to convert this to C#...
|
by: Max Vit |
last post by:
Here is my problem: I have an application built in Access that outputs
sensitive data to a text file.
I would like to encrypt this data *whilst* the file is being
outputted.
The encryption I was using before (very weak) was to encrypt the file
*after* the output had been completed but if for some reason the
output did halt before being completed; then the text file was able to
be read.
....and the encryption needs to be able to be...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
