0
 function updateR()
 {

    $.ajax({
       type: "POST",
       url: "update.php",
       data: { surprize: '12345678910', dpoint: point, dlevel: level }
         }).done(function( msg ) {
         //   alert( "Data Saved: " + msg );
        });

 }

it my function . how to block or protect ajax post values (point or level) from browser inspect element if user want open browser inspect element and change value point ?

Nasir Aliyev
  • 116
  • 7
  • I don't think you can do much about it – Arun P Johny Mar 11 '13 at 13:39
  • There's nothing you can do to prevent somebody from using the browser to modify anything running client-side, which is why you should always validate requests on the server-side. If you know the unmodified values of `point` and `level` on the server then you can check that they haven't been changed there. – Anthony Grist Mar 11 '13 at 13:41

3 Answers3

2

In short, you cant!. Yes you can do a bunch of stuff to hide it in some way or add some garbage to obfuscate it but in the end a determined user will find it. Quite simply because the user can see the code that is responsible for sending this to the server.

Now you can make it difficult for someone trying to this, by maybe adding junk values to the AJAX request, or by appending the actual data with some number of junk values. But then you have to obfuscate your javascript code which is responsible for doing this too.

But dont dont dont dont ever rely on this! Because you can only make it difficult but someone determined will be able to do it. And if you find yourself in a situation where you need to send some data to the server that is confidential to the user, then you need to re think your system architecture instead of trying to hide the request from the user.

Ahmed Aeon Axan
  • 2,139
  • 1
  • 17
  • 30
0

A web application is a client server application, you can never trust data that is coming from the client, maybe you could do it harder to cheat, but the user always has the possibility to send modified data to your server.

Björn Mårtensson
  • 709
  • 5
  • 15
  • thanks gays for answer but I think I must do it or make something for it . because it's mini game 7 day for big company . users must play and win prize . but I dont know how to protect . point can be some number and I can't verify it on server (( – Nasir Aliyev Mar 11 '13 at 13:56
  • Why cant you validate it on the server? if it is a game you should be able to store the previous action and validate if the current action is allowed. – Björn Mårtensson Mar 11 '13 at 13:59
  • or use some kind of obfuscation technique. maybe compressing the javascript makes it a little harder for the users to see what is really going on, but it is not a a safe solution – Björn Mårtensson Mar 11 '13 at 14:00
  • I can this . but I dont know its really point or fake . user can manual send 3500 point or he can really play and win 3500 point – Nasir Aliyev Mar 11 '13 at 14:05
  • but cant you validate the users progress through the game, and he doesnt send the score, instead he sends the events that are revarding him with points and then the server calculates the number of points? – Björn Mårtensson Mar 11 '13 at 14:07
  • how verify on server it really point or fake ? or how verify user changed manually js code . – Nasir Aliyev Mar 11 '13 at 14:14
  • if the game runs fully in the browser of the user, you will not be able to validate the data, you will have to make some modifications to be able to validate that the progress of the user is valid – Björn Mårtensson Mar 11 '13 at 14:16
0

Actually, user can send whatever he wants, if its through browser or just command line / any other tool.

You have to sanitize & filter your input on your server side.

For ex. if you know that you want only numeric values for post var named 'surprize', you have to validate it by the following way:

if(empty($_POST['surprize'])||!is_numeric($_POST['surprize'])){
  //invalid surprize
  die('Bad Surprize value');
}
Idan Gozlan
  • 3,173
  • 3
  • 30
  • 47
  • I can this . but I dont know its really point or fake . user can manual send 3500 point or he can really play and win 3500 point – Nasir Aliyev Mar 11 '13 at 14:06
  • Your point reward mustnt be on your server side!!!! take care of it please. If you want to reward points, you can post to your server the question id and answer number and your server side will decide if give the user points.. you also should check matching by game session id or something because the user can send you whenever he wants this request and reward points for that.. – Idan Gozlan Mar 11 '13 at 14:13