in reply to proposition for Voting system

"I'm pretty sure javascript can be used for this and it would not be hard to make it."

I'm pretty sure a lot of monks will find ways to cheat, if javascript is used ;-)


Replies are listed 'Best First'.
Re^2: proposition for Voting system
by spx2 (Deacon) on Jun 21, 2008 at 16:59 UTC
    I'm not aware of any way that a js like this could be cheated ...
    Are you ?

      Ignoring it.

      If you put in the page a js that detect the time interval between get and post, it must pass its result as a post parameter.

      If I decide to cheat, I can make a post setting the value to anything I like.

      You can use javascript, cookies, anything you want but in the end the server sees only what I pass it in the post...

      This is the fundamental reason against the use of client-side only validation of data: one can always bypass them.

      A working strategy could be to assign (server-side) an unique identifier to every get of every page, store it in a db along with a timestamp, and compute the interval (server-side) between the post time and the get stored timestamp. This is certainly possible, but would be an enormous overhead

      And, last but not least, cui prodest?

      Update: bootnote: I don't think that the idea in itself is good: most of my (few) downvotes are to badly formatted and incomprehensible questions. You don't need (and don't want to spend) much time to decide that a question saying "HELP!!! MY PROGRAM DOESN'T WORK!!!!!" doesn't deserve an answer...

      Careful with that hash Eugene.

        Please send the codez :-D

        holli, /regexed monk/
        so it seems that there are methods to prohibit cheating.
      In principle you can't rely on anything that comes from the client. A javascript is useless in such a context unless it sends something to the server. That can easily be intercepted or modified.

      There are a myriad of other possibilities to manipulate javscript - for example you can override some behaviour with costum js (via greaksmonkey), automatically patch it on downloading, fiddling with the js interpreter etc.

      Remeber, perlmonks is regularly used by geeks who know very well how to deal with web technology. Just because you can't cheat something doesn't mean it can't be cheated at all.

      I'm not aware of any way that a js like this could be cheated ...
      One word: Firebug.

      And what will you do with people who disable Javascript?