0

I don't want my users to be able to change the ('+res.id+') and ('+res.level') using inspect element because if they do it changes the outcome of the submit button.

For example '+res.id+' is = 2 and 2 is equal to a firedragon, but if the person uses inspect element they can change that 2 to a 1 and 1 is equal to a lightningdragon. Then when they click battle the firedragon was changed to a lightningdragon. Basically they can battle whoever/whatever they want.

Is there anyway way to prevent people from changing those variables OR check if the variable was changed so I can send the user an error message?

                html += '<form name="input" action="ingame.php?page=attack/travel/startbattle" enctype="multipart/form-data" method="post">';
                html += '<input type="hidden" id="goid" name="goid" value="'+res.id+'">';
                html += '<input type="hidden" id="level" name="level" value="'+res.level+'">';
                html += '    <input type="submit" value="Battle!" class="button"/>';
                html += '</form>';
user3630307
  • 11
  • 1
  • i would suggest to check it on server side, with sessions or something like that. random generated unique hashes for that one specific user – rsz May 12 '14 at 22:35

2 Answers2

2

If you want to store variables you can trust then don't send them to the client, instead keep them only in server memory (using Session state, a database, or some other backing-store that persists between requests).

If you need to share values with the client, then send them out but don't accept them as input from the user.

As a third option, if you have a completely stateless server and need to expose values to the client, then you can encrypt and/or sign the values, so that when they're returned from the client you can verify that they haven't been tampered with. Using Message Authentication Codes is one such implementation of this approach: http://en.wikipedia.org/wiki/Message_authentication_code

Dai
  • 141,631
  • 28
  • 261
  • 374
0

You can’t stop a user from submitting whatever parameters they like to your form endpoint. Even if you could somehow stop the form values from being changed, someone could use curl or the like to send a custom-crafted request to the server.

You need server-side validation of input values. You may need to store an intermediary object that can be retrieved when the form is submitted, then you won’t have to carry along those values as hidden fields.

Buck Doyle
  • 6,333
  • 1
  • 22
  • 35