-1

I am creating a Q & A application where the users will be presented with a list of questions, and i am using the setTimeout() function to hide the questions, along with some other operations/validations. But the issue is that the user can easily bypass the validation by using the clearTimeout() function.

Is there any other method to creating a javascript polling without setTimeout().

Edit:

Thanks to all. I have updated my code to include the validations in the server side. But sill of curiosity isn't there any method to implement a polling feature without using setInterval() or setTiemout()

Nandakumar V
  • 4,317
  • 4
  • 27
  • 47
  • 2
    A user can easily bypass any front-end (JavaScript) validation, no matter what method you use. Server-side validation is the only solution – Phil Oct 11 '12 at 05:22
  • 1
    Any client-side scripting language such as JavaScript can be easily bypassed, further more your users can always read the page's source in that case. Even obfuscation doesn't help, as the data will have to be decrypted at some point and any devoted user can step through the code. – Fabrício Matté Oct 11 '12 at 05:23
  • Yes that's true, but doing all this fading, popup, sliding will make the page appear more lively. I have done some validations in server too. Isn't there any other was to create a polling? – Nandakumar V Oct 11 '12 at 05:51

3 Answers3

0

jQuery have one: http://api.jquery.com/delay/ However if you worried about user changing your JS, please add validation on server end, no code running in JS can avoid such a hack.

Simon Wang
  • 2,843
  • 1
  • 16
  • 32
  • thanks for your input, but jquery delay are also using the settimeout() function to implement their delay() function. [deconstructed_jquery](http://www.keyframesandcode.com/resources/javascript/deconstructed/jquery/) – Nandakumar V Oct 11 '12 at 05:29
  • Yes sure but it's better, you are running on JS so you've been limited with things it got, jQuery was just based on simple JS function but it's better isn't it? – Simon Wang Oct 11 '12 at 05:31
  • i agree with that.. jquery is a real time saver. – Nandakumar V Oct 11 '12 at 05:55
0

Well you cannot have all your questions on the client side at first! you have to load them once one question is answered, follow basic steps

  1. Bring only one question to the client, use ajax to submit to your answer to the server.
  2. Maintain the server date and time when the question is sent to the client, you can use this for validation when the answer is submitted to server and what time it has taken.
  3. DO NOT RELAY on client side data, with developer tools mostly available people can play around with your system
Chandra Sekhar Walajapet
  • 2,534
  • 17
  • 24
  • The Q&A section is a like a rapid fire round, so i cant wait till the ajax submits and then load the reply as next question. It will surely affect the purpose of the rapid fire round. Also there is validation process in the server side, just want to make it a little user friendly. – Nandakumar V Oct 11 '12 at 05:39
0

clearTimeout works only if you saved "timeout id" returned by setTimeout, i.e:

var timer = setTimeout(foo, delay);
...
clearTimeout(timer); // works;

setTimeout(bar, delay);
...
// to cancel previous timer, we must use a "hack" (as no reference is saved, look at EDIT below)

but in any case, you should NEVER rely only on client-side (javascript) check, server-side check is a MUST (and client-side is nice to have, in addition to that).

On server-side:

When you serve a question you simply save the timestamp somewhere (in a session variable, for example), then when you receive answer you compare current timestamp with the one saved when that question was served and make sure that user has not spent more time than allowed to answer the question. This way, even if he/she finds a way to cheat (or simply if he/she has javascript turned off) you will be sure that he/she doesn't spend more time per question than allowed.

EDIT:

As noted in comments on this answer, it is possible to cancel timeout/interval/animationframe if we do not know exact timer id, by canceling all of them in a loop. This is possible since all major browsers implement timer ids as consecutive integer numbers.

I call this workaround a hack since timerID value (returned by setTimeout/setInterval) is not defined in any specification I could find. Currently, all browsers (as it seems, haven't checked them all) use consecutive numbering scheme for timer ids. And, this is not something we can rely on as it is not standardized feature.

Anyway, what is important in my answer is that this SHOULD NOT be done in JavaScript only. Ever.

krcko
  • 2,834
  • 1
  • 16
  • 11
  • 1
    `// no way do cancel previous timer, as no reference is saved`. try this `highestTimeoutId = setTimeout(""); for (var i = 0 ; i < highestTimeoutId ; i++) { clearTimeout(i); }` – Nandakumar V Oct 11 '12 at 05:40
  • well, that should probably work (sadly, I may add), but that's only because timer ids are implemented by most browsers as simple consecutive integers. AFAIK ECMAScript standard leaves that as implementation defined. But I might be wrong, and it would be great if someone tested how all popular browsers handle this. – krcko Oct 11 '12 at 05:50
  • 1
    @krcko, We can cancel all timeouts even without knowing the reference id, by using the method OP has mentioned in the comments. It does work. ECMAScript is the standard but all major browsers have implemented it as consecutive numbers. So that comment is not correct. – saji89 Oct 11 '12 at 05:57
  • @krcko, setTimeout is not part of ECMAScript specs. Please read http://stackoverflow.com/a/8852244/749232 for clarification. – saji89 Oct 11 '12 at 06:08
  • Hmm, yes, it does seems that way. All browsers I've checked use consecutive numbers. Even for requestAnimationFrame.. Well, that's not really an issue, since any client-side validation is a no-no (without sever-side validation too, that is). I will update my answer. – krcko Oct 11 '12 at 06:09
  • @krcko, I agree with your point on relying only on client side validation. `setTimeout` is actually part of Window object spec of w3c Ref: http://www.w3.org/TR/Window/#window-timers – saji89 Oct 11 '12 at 06:12
  • @krcko, Still your comment is confusing. How do you tell its not legal, when there is no legal way specified in the specification? :) – saji89 Oct 11 '12 at 06:14
  • 1
    @saji89 Yes, it's part of spec, but spec only says "The methods returns a timerID which may be used in a subsequent call to clearTimeout to cancel the interval." but does not specify how timerID should be implemented by browsers. – krcko Oct 11 '12 at 06:15
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/17851/discussion-between-saji89-and-krcko) – saji89 Oct 11 '12 at 06:17