XMLHttpRequest problem

[Porl123]

I have two functions; one which first takes a list using XMLHttpRequest from a file called gatherList.php, splits it by \n, then using setTimeout every second adds a line to a DIV. Once this list has reached the end, it calls a second function that runs another file called endActions.php and I want this to only be run after the list has filled. The problem is that the user can just view the endActions.php page in their browser before the list has filled, so I need to pass over a key from the main file to the endActions.php page through a php GET. The problem is that I can't use a cookie, as the user could edit it and I can't use a random number using Math.random() because that can't be compared on the endActions.php page. I also can't save the value to either a file or a mysql table through another XMLHttpRequest as the user could go to saveKey.php?x= and enter their own code, then run the endActions.php page using it.

 

I also can't use php sessions as they would be visible in the source, allowing the user to copy them and access the endActions.php file with it.

It's a difficult situation and I can't really think of how else to explain it but if you know of any way I can make it so only the main page can access the endActions.php page, I'd appreciate it if you could help me out. I've posted this on the php board but it's probably more of an ajax issue. Anyway, thanks in advance!

[Porl123]

I've just been thinking. Are there any settings I can put on the file to prevent them from being accessed by the user, without also preventing the script from being able to run it?

[gamesmstr]

JS is by definition a client side language.  It's presence in the browser page code is part of what makes the page work in the browser.  Hiding that is tricky.

[Porl123]

Yeah, I've tried so many different solutions now but they're all flawed. Nothing in my knowledge of both php or javascript is working.

[Porl123]

The only possible method I can think of would be using encryption to make the value unreadable in the source, but I still don't know how I'd do that.

[gamesmstr]

There are ways to hide the code from the average user from using the "Show Source", but anyone with firefox and a firebug plugin will get around it and those are the guys you are worried about, not the casual user.

 

Instead of hiding it, why not just validate the event calling the function?

[Porl123]

Sorry, how do you mean?

[gamesmstr]

I also can't save the value to either a file or a mysql table through another XMLHttpRequest as the user could go to saveKey.php?x= and enter their own code, then run the endActions.php page using it.

 

Either validate the x variable or have it sent via the POST method.  One thing I have used is a db trigger.

 

Have a column called "showend" with a value of 0.  On displaying the last line, flip that to 1 and make your endActions.php file dependant on the value of showend.

[Porl123]

But I'd probably flip the switch with a script and the user would be able to run that script and flip it manually, couldn't they?

[gamesmstr]

Not if you used php to do it.

[Porl123]

But how would the php know when the javascript is on the last list, though?

[gamesmstr]

Use a variable passed through the ajax function via the POST method.

[Porl123]

I think POST has the same problem as GET. The user can set them both manually.

[gamesmstr]

But he'd have to know what to send and it would not be visible in the browser url bar.  If that variable was a random number generated upon the 1st line display and stored in a db, then passed on the last line and verified against the one stored in the db, there would be no way of knowing what that variable was until after the final code was executed.

 

One thing that might help is if I knew exactly what this is supposed to be.  Only thing I can think of is a trivia game or something similar where is gives hints.

[Porl123]

It's an animal fighting game. I was just thinking, couldn't they store the code to what they want it through the file that stores the random number in the database? They could use php cURL to send the POST data.

[gamesmstr]

No.  If I use php to generate and send the security code to mysql, and at the end use php mysql to pull that code to verify that the code sent via post was correct, you should have a secure system.  I had a similar problem in a game I run.  It had a series of challenges to win a big prize.  To avoid people attempting to run the final JS command out of sequence, I set up a step column in the user db.  It set it to 0 at the start of the challenge and after each sequence updated the database with a new step value.  At teach challenge, it checked the step column to verify that the value was valid.  If it wasn't, I had it send me a nice little message about who was doing it.  Got rid of a few hackers that way.

[Porl123]

So I'd need to to make a random code using Math.random() and then using ajax I send it to a php file through a POST variable, which will store it in mysql?

[gamesmstr]

no,  I'd make the random number in php, then store it in mysql.  Then retrieve it and pass it to your final phase as a post variable, and verify that it matches the stored one.

[Porl123]

Yeah, but in order to send it through ajax it would need to be visible in the source. Couldn't they just copy it from the source and post it through to the file?

[gamesmstr]

if the only time it is sent to the source is when you are calling it for the final time, then who cares?

[Porl123]

Because while the list is filling, which could take up to a minute it'll be present in the source. The user will be able to view the source, copy the code and post it through to the end file before it's due.

[gamesmstr]

Now I'm confused.  you are sending the data for the entire list and final results all at once?

 

Can you post your code?  It would help us understand exactly what it is you are doing.

[Porl123]

Yeah sure.

 

				var battleLog,battleList,battleCount,i = 0;
				function runBattle() {
					var xmlHttp = connect();
					if(xmlHttp != false) {
						xmlHttp.open('GET', '/inc/battle/runBattle.php?' + Math.random(), true);
						xmlHttp.onreadystatechange = function() {
							if(xmlHttp.readyState == 4) {
								battleLog = xmlHttp.responseText;
								battleList = battleLog.split('\n');
								battleCount = battleList.length;
								addLine();
							}
						}
						xmlHttp.send('null');
					}
				}
				function addLine() {
					if((i + 1) == battleCount) {
						var xmlHttp = connect();
						if(xmlHttp != false) {
							xmlHttp.open('GET', '/inc/battle/endBattle.php?' + Math.random(), true);
							xmlHttp.onreadystatechange = function() {
								if(xmlHttp.readyState == 4) {
									document.getElementById('battleResponse-1').innerHTML = xmlHttp.responseText + document.getElementById('battleResponse-1').innerHTML;
								}
							}
							xmlHttp.send('null');
						}
					} else if((i + 1) < battleCount) {
						document.getElementById('battleResponse-1').innerHTML = battleList[i] + '<br />' + document.getElementById('battleResponse-1').innerHTML;
						document.getElementById('battleResponse-2').innerHTML = battleList[i];
						i++;
						setTimeout("addLine();",800);
					}
				}
				window.onload = runBattle;

[Porl123]

Sorry, should have done that in the beginning.

[gamesmstr]

Yeah, I see your problem..  Your solution is going to have to be php based.  You can still pass the necessary variables via ajax post, but  your security setup will have to be php pased.