I have a website where users can bet on specified coin they think it will win.
I have TT(1-7), CT(8-14) and DRAGON(0). Pretty roulette-based.
So, basically, users on my site can right click > inspect element > console and paste this command: send({"type" : "bet", "amount": "1e+2", "lower": 1, "upper" : 7, "round" : ROUND});
This command will bet amount 1e+2 (which is not valid) on TT which is (1-7), on execute.
Website will display that the bet only 1 credit, but they actually really put literally 1e+2 amount. Also, if they win, they are getting like 15000+ credits, insead of 2, because TT and CT coins just double your bet amount, while DRAGON do 14x.
Is there any way to disable console, disable console input, or something like that? I know its fixable, just not sure on which way.
Edit: additional informations:
when user try to bet 1e+2 amount on valid-way, with the input box on my site, it will say it's not valid amount, but for console its not working. Also, its not just 1e+2 they can do like 2e+51 or just some random numbers and signs.
Asked
Active
Viewed 56 times
0
Bog Otac
- 15
- 5
-
1You can't disable the console. – Jun 13 '17 at 11:10
-
hmm im pretty sure its fixable, just dont know on which way. – Bog Otac Jun 13 '17 at 11:12
-
2You can never trust anything that originates from a client & you can never make a client trustworthy. You should be running whatever checks are needed on the server and deciding if the request is legitimate there. – Alex K. Jun 13 '17 at 11:12
-
Well, Server checks valid-way bets, but no idea how can I make it check console-sided bets. – Bog Otac Jun 13 '17 at 11:52
-
If you don't know how to get your server to check those bets, you need to hire a programmer who does. **It is impossible to stop the user from submitting invalid/fraudulent data to your server.** Your server must be alert for such data. – Brock Adams Jun 13 '17 at 19:34
1 Answers
1
You have to check on the server whether a sent request is valid. Always assume that every client tries to attack you. Client-sided inputs can be changed very easily.
EDIT: In PHP, you can validate the input like this:
if(preg_match("[0-9]", $sent_input) {
// valid input, execute the code
} else {
die("Invalid input");
}
StuntHacks
- 457
- 3
- 15
-
Any way you can help me out with that? Not sure how should I do that for client console. – Bog Otac Jun 13 '17 at 11:53
-
If you explain, why certain inputs aren't valid or what makes an input valid, yes. – StuntHacks Jun 13 '17 at 12:02
-
Input is valid when there is only numbers in it, Input is invalid if Input contains something else than number, example: signs like !@#%&*(.... or even letters like awqrtyuiplapbkata ...... – Bog Otac Jun 13 '17 at 13:40
-
You can use regex to validate the sent input in the backend. You are using PHP I assume? I will add a little explanation on how to do it there to the answer. – StuntHacks Jun 13 '17 at 15:00
-
-
It's not working, users can still use console to bet invalid amounts. – Bog Otac Jun 13 '17 at 18:09
-
-
Ouh, my bad. Im not using PHP for bads, Im using combination of javascript php and a lot of modules. I didnt make that script so its a little bit hard for me to find exact code affiliated with bets. – Bog Otac Jun 13 '17 at 18:14
-
-
I think this is what you are asking for. `https://pastebin.com/9Ff4kvYG` – Bog Otac Jun 13 '17 at 18:20