Forums: » Register « |  Free Tools |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support |
 User Name: Password: Remember me

New Free Tools on Dev Shed!
We're Excited to announce that Dev Shed now has 70 free tools on the site. To learn more, click here!

 Dev Shed Forums Sponsor:
#1
July 17th, 2013, 09:44 PM
 martincodes
Registered User

Join Date: Jul 2013
Posts: 3
Time spent in forums: 24 m 53 sec
Reputation Power: 0
Having my school quiz getting sabotaged

Me and some friends are creating a quiz in java, it has gone really well actually. Altough, we are facing problems here and there.

score=0;
for (var x = 1; x <= 5; x++) {
if (l('quest1'+x)!=0) {score = score + 1;}
else {score = score - 1;}
}
for (var x = 1; x <= 3; x++) {
if(l('quest2'+x)!=0) {score = score + 1;}
else{score = score - 1;}
}
if(l('quest3')!=0) {score++;}
else{score--;}

score = score + billingscore;
if(l('postcode')!=0) {score++;}
else{score--;}
if(d('email') && l('email')!=0) {score++;}

So for this one, it's three question that should match the actual answer. This will give a total of 3 points, if all are correct.
The green lines & elements are where they should add their postcodes in the correct country match, pretty confusing tho :=-: If the codes are close to the match or even exact points are earned.

These are the last lines which decides if the user has enough score.

else if (score < 0) {
condition='Poor'
s('update').color='black'
s('summaryf').border='1px solid black'
}
c
}
else if (score > 11.5) {
condition='Good'
s('update').color='cyan'
s('summaryf').border='1px solid cyan'
}

People have somewhat managed to bypass my small security.
Recently everyone has managed to max their points to 11.5 and they automatically "win our grand price".
I believe they lure the system to say that their Answer, is the correct answer. So my system sees it like the correct actual answer. Thereby without them knowing the answer, they still manage to get the points per question(textbox).
Hope you understand.

This started as a school project but turnt more advanced & fun.

Best regards,
Martin

#2
July 18th, 2013, 06:41 AM
 MrFujin
Lord of the Dance

Join Date: Oct 2003
Posts: 3,340
Time spent in forums: 2 Months 2 Weeks 4 Days 16 h 49 m 18 sec
Reputation Power: 1828
Quote:
 Originally Posted by martincodes Me and some friends are creating a quiz in java,

Think you mean JavaScript?

But first rule with JavaScript is that it cannot trusted.
It is possible for the user to read, change or even omit/skip the JavaScript.

If you have posted any answer in the JavaScript, then you have given them the answers yourself.

#3
July 26th, 2013, 05:48 PM
 martincodes
Registered User

Join Date: Jul 2013
Posts: 3
Time spent in forums: 24 m 53 sec
Reputation Power: 0
Quote:
 Originally Posted by MrFujin Think you mean JavaScript? But first rule with JavaScript is that it cannot trusted. It is possible for the user to read, change or even omit/skip the JavaScript. If you have posted any answer in the JavaScript, then you have given them the answers yourself.

Yes Javascript, my bad!

The answers are not in the javascript itself, they are in a diffrent php database.

best regards,
martin

#4
July 26th, 2013, 06:58 PM
 Jacques1
You have been warned

Join Date: Jul 2012
Posts: 3,079
Time spent in forums: 2 Months 3 Weeks 3 Days 18 h 58 m 32 sec
Reputation Power: 1063
Hi,

the problem is that you don't understand how websites work -- like many people.

How you've set up your pages or what JavaScript you wrote does not matter. It's completely irrelevant. It's a fancy façade for people to look at, nothing more.

The question is what your server does and how it reacts to input. Does your server simply believe me if I tell it that I got so and so many points? Well, then I'm gonna tell your server that I have 10,000 points. I don't even need a browser for this. I simply go to the command line and send your server a message with this score. That's it, I just won your price.

Again: The JavaScript code on your page does not bother me in any way. I won't even open the browser to visit your website. I simply send an HTTP request to your server, and then I'll get the price.

The only way to prevent this is to check the answers and calculate the score on the server. When a user visits your website, you start a session, you create a session variable for the score, and then you wait for the answers to the question. For every correct answer you increment the score in the session. And at the end, you check the total score.

This does not prevent cheating. People can simply repeat the test or share the correct answers. But a session at least forces your users to actually send answers rather than just making up their own score.

So you need to remove all score stuff from the JavaScript and put it into the PHP script. In fact, you need no JavaScript at all. The only reason to use it would be to make the site prettier or more comfortable. You can't use JavaScript for anything important.

#5
July 26th, 2013, 11:15 PM
 Kravvitz
CSS & JS/DOM Adept

Join Date: Jul 2004
Location: USA
Posts: 20,098
Time spent in forums: 6 Months 6 Days 18 h 35 m 17 sec
Reputation Power: 4195
As Jacques1 said, all critical calculations (as in results someone may want to fake) need to be performed on the server, even if you do them with JavaScript in the browser.

Quote:
 Originally Posted by Jacques1 You can't use JavaScript for anything important.

Please try to avoid making sweeping statements like that which are so easily taken outside of the context of this discussion of a particular script.
__________________
Spreading knowledge, one newbie at a time. I'm available for hire at Dynamic Site Solutions.

Check out my blog. | Learn CSS. | PHP includes | X/HTML Validator | CSS validator | Common CSS Mistakes | Common JS Mistakes

Remember people spend most of their time on other people's sites (so don't violate web design conventions).

#6
July 27th, 2013, 03:56 PM
 martincodes
Registered User

Join Date: Jul 2013
Posts: 3
Time spent in forums: 24 m 53 sec
Reputation Power: 0
I am truly grateful for that answer jacques1, gave me a quick understanding of javascript.
From what i see now, i was totally lost.

The quiz was designed to teach me coding, and your words pretty much cleared so much for me.

Thanks alot!

 Viewing: Dev Shed Forums > Web Design > JavaScript Development > Having my school quiz getting sabotaged

Developer Shed Advertisers and Affiliates

 Thread Tools Search this Thread Search this Thread: Advanced Search Display Modes Rate This Thread Linear Mode Rate This Thread: 5 : Excellent 4 : Good 3 : Average 2 : Bad 1 : Terrible

 Posting Rules You may not post new threads You may not post replies You may not post attachments You may not edit your posts vB code is On Smilies are On [IMG] code is On HTML code is Off
 View Your Warnings | New Posts | Latest News | Latest Threads | Shoutbox Forum Jump Please select one User Control Panel Private Messages Subscriptions Who's Online Search Forums Forums Home -------------------- Programming Languages    PHP Development        PHP FAQs and Stickies    Perl Programming        Perl FAQs and Stickies    C Programming        C Programming FAQs and Stickies    Java Help        Java FAQs    Python Programming        Python Programming FAQs    Ruby Programming        Ruby Programming FAQs    Game Development        Game Development FAQs Programming Languages - More    ASP Programming        ASP Programming FAQs    .Net Development        .Net Development FAQs    Visual Basic Programming        Visual Basic Programming FAQs    Software Design        Software Design FAQs    ColdFusion Development        ColdFusion Development FAQs    Delphi Programming        Delphi Programming FAQs    Regex Programming        Regex Programming FAQs    XML Programming        XML Programming FAQs    Other Programming Languages        Other Programming Languages FAQs Web Design    HTML Programming        HTML Programming FAQs    JavaScript Development        JavaScript Development FAQs    CSS Help        CSS Help FAQs    Flash Help        Flash Help FAQs    Photoshop Help        Photoshop Help FAQs    Web Design Help        Web Design Help FAQs    Website Critiques        Website Critiques FAQs    Search Engine Optimization        Search Engine Optimization FAQs Mobile Programming    Mobile Programming        Mobile Programming FAQs    iPhone SDK Development        iPhone SDK Development FAQs    Android Development        Android Development FAQs    BlackBerry Development        BlackBerry Development FAQs Web Site Management    Business Help        Business Help FAQs    Development Software        Development Software FAQs    Scripts        Scripts FAQs Databases    Database Management        Database Management FAQs    DB2 Development        DB2 Development FAQs    MySQL Help        MySQL Help FAQs    PostgreSQL Help        PostgreSQL Help FAQs    Firebird SQL Development        Firebird SQL Development FAQs    MS SQL Development        MS SQL Development FAQs    Oracle Development        Oracle Development FAQs    LDAP Programming        LDAP Programming FAQs System Administration    Mail Server Help        Mail Server Help FAQs    Apache Development        Apache Development FAQs    Security and Cryptography        Security and Cryptography FAQs    Antivirus Protection        Antivirus Protection FAQs    DNS        DNS FAQs    IIS        IIS FAQs    Networking Help        Networking Help FAQs    FTP Help        FTP Help FAQs Operating Systems    BSD Help        BSD Help FAQs    Linux Help        Linux Help FAQs    UNIX Help        UNIX Help FAQs    Windows Help        Windows Help FAQs    Mac Help        Mac Help FAQs Web Hosting    Web Hosting        Web Hosting FAQs    Free Web Hosting        Free Web Hosting FAQs    Web Hosting Requests        Web Hosting Requests FAQs    Web Hosting Offers        Web Hosting Offers FAQs Computer Hardware    Computer Hardware    CPUs        CPUs FAQs    Cooling        Cooling FAQs    Embedded Programming        Embedded Programming FAQs    Motherboards        Motherboards FAQs    Multimedia Hardware        Multimedia Hardware FAQs Other    Dev Shed Lounge        Dev Shed Lounge FAQs    Development Articles        Development Articles FAQs    Beginner Programming        Beginner Programming FAQs    Hire A Programmer        Hire A Programmer FAQs    Project Help Wanted        Project Help Wanted FAQs Latest News Updated Hourly    Technology News    Business News    Science News Forum Information    Forum Rules/Guidelines        Forum Rules/Guidelines FAQs    Forum Announcements        Forum Announcements FAQs    Dev Shed Gaming Center        Go to the Dev Shed Battle Arena        Go to the Dev Shed Arcade Games        Go to the Legend of the Green Dragon    Suggestions & Feedback        Suggestions & Feedback FAQs

 Forums: » Register « |  Free Tools |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support |