0

I am developing a Question & Answer website where a user is presented five puzzles on a page and the score is calculated using JavaScript as he attempts the questions on the page. The score is saved in a Javascript variable score. I have a paging system like this:

Page numbers

Now when the user clicks on 3 I want to send the variable score to the next page, where I have require scoreUpdateInDatabase.php on each such page such that the score of previous page is made permanent to the databse and the following PHP script presents him the next 5 questions.

How can I pass that score variable in secure way? I can't use GET because the user will modify it. I am satisfied with POST if this can be used, even though POST data can be modified but I just want minimal security.

P.S. Please do not suggest making AJAX call where in one side I will send score and while returning carries next 5 questions. I don't want to use AJAX to refresh content because it is not SEO friendly.

Community
  • 1
  • 1
Naveen
  • 7,944
  • 12
  • 78
  • 165
  • 1
    Why dont you use AJAX to save the score and get it on the next page? – reyaner Feb 13 '14 at 11:54
  • The javascript is run in the client so there is nothing you can do to secure that variable. You could just save it in a cookie and read that cookie on the next page but its not secure by any means – Jesper Blaase Feb 13 '14 at 11:55
  • 1
    What actually do you mean by secure way? You can go with POST/session as mentioned below and check values before passing them to the database, so they have to be >= 1 && <= 10, as it depends on users input. If you want some security against bots, use tokens. Are users registered or anonymous? – Wiggler Jtag Feb 13 '14 at 11:57
  • @reyanar: The problem is when I would make the AJAX call.It seems optimal to me to make AJAX request for the final score on the page instead of making 5 AJAX calls,1 each question.So I tried to make asynchronous AJAX call `onbeforeunload` but sometimes the `AJAX` calls were getting missed and the next page got loaded before the updations could be made.So I made the call `async:false` but this then hangs the browser for a second.Thus I dropped the idea of this approach – Naveen Feb 13 '14 at 11:59
  • @WigglerJtag:The users are registered.What are tokens actually?can you please elaborate.I want protection against bot which may cheat scoring criteria. – Naveen Feb 13 '14 at 12:01

5 Answers5

1

The simplest solution would be cookie based. Writing the value to a session cookie and the reading it.

You could use jquery cookie. It also gives you the option to require https if desired.

Colin Bacon
  • 15,436
  • 7
  • 52
  • 72
0

Save it in a session. POST would work equally well in this particular case but my preference would be storing it in the session.

Nathan Dawson
  • 18,138
  • 3
  • 52
  • 58
  • :Yes,even I want to do that but how? Session variables can be stored using `PHP` only and for that I need to somehow pass that `score` variable to next `PHP` page.So I am struck again at the same point.Can you suggest some way if I am missing. – Naveen Feb 13 '14 at 12:04
  • @Insane Coder: I think this the right moment to send you to the [fine manual](http://www.w3schools.com/php/php_sessions.asp)... :-) – Fabricio Feb 13 '14 at 12:05
  • @Nathan:I already know that basic stuff.I think you didn't get my point. – Naveen Feb 13 '14 at 12:07
0

The only secure way to do this is to pass the actual answers to the server using a POST or AJAX, do the calculation of the score also on server side and keep it in a SESSION variable.

More information on sessions in PHP

Fabricio
  • 839
  • 9
  • 17
0

Try looking into Jquery - You should be able to return the value to the server scripting language (as you listed PHP as a tag, I assume you're using PHP). By using Jquery, you can get the javascript variable to the form BEFORE submitting the form to the next page.

Assuming you have used PHP to generate the form to submit initially rather than create the form in javascript. I would use Jquery - to get this file ( http://jquery.com/ ) and to include("jquery.js"); etc... in your PHP script for it to be used.

I would then convert the javascript variable(s) to a php variable and assign this to a hidden field in the form to be submitted to the next page using a $_POST[] variable.

Justice
  • 169
  • 1
  • 2
  • 9
  • :Moreover,as you suggested, I can use a form.But one thing I am confused is if I use say `onclick=myform.submit()` then won't I miss the GET parameters?Like for link `1` I have url `www.mydomain.com/puzzles.php?start=001` – Naveen Feb 13 '14 at 12:31
  • To be honest, I'm not a javascript 'whiz', I just know it's possible using a php form to submit values obtained through the use of jquery. (as I've done something similar with a dropdown box dynamically changing contents within a form through the use of `.hide` and `.show`). If it was down to me doing what you seem to be describing, I would just use php to submit the contents of the form as a 'standard' html form, then validate to see if they got the answer right on the next page before you use `$score`. It would be a lot simpler and completely removes the requirement for javascript. – Justice Feb 13 '14 at 12:46
-1

However It will not be SEO friendly (POST and SESSION is not SEO friendly, but you should use them, continue reading)

We are talking of a game. No-one want that the Search engine index the last page of a game... because everyone can search on google (for example) for the last page of your game without playing.

You have to use ajax or post, but don't let google index every page of your game. It's nonsense.

Only the first page of your game should be indexed.

Salcos
  • 1
  • 1