Indie-Resource.com

Qunox wrote:Wow the key to AJAX seams rather easy but that is a good thing, right?
Well I'm not experienced with JavaScript so i do not know how to use split() too handle diffrent stuff in the string.

Yes, AJAX itself is very easy. AJAX itself can't do much beyond load a new page within an area of another page. To do all the nice, dynamic effects that AJAX can do, you need to have the Javascript abilities to do them. AJAX won't get you far on its own without Javascript abilities to do complex things with that passed data.

Qunox wrote:Well can't the user save the page localy, edit the JavaScript and run it from the desktop?(With modyfied pages)? I'm asking since i really don't know.
As far as the source code i guess a obfus is the solution...just need too get it to work xD

Yes, they absolutely can do that! Obfuscation is a small part of the solution. It helps, and it will stop at least 95% of those out there from successfully altering your Javascript to exploit it. However, the real way to secure it is the age-old, #1 lesson of web development security: Assume all data sent from the user is malicious until you can prove otherwise on the web server. This is done by first sanitizing any incoming data before using it in a query, storing it in the database or displaying it on a webpage, and also checking the logic of your application to ensure that the data you are receiving is the same data you expected, in the same range you expected, and at the right time you expected. While sanitizing your data is very easy to do with scripts freely available online, the latter is not so easy, and requires proper planning in your application.

Yes, AJAX itself is very easy. AJAX itself can't do much beyond load a new page within an area of another page. To do all the nice, dynamic effects that AJAX can do, you need to have the Javascript abilities to do them. AJAX won't get you far on its own without Javascript abilities to do complex things with that passed data.

Yeah i know . But JavaScript seams fairly easy(I'v done a bit C/++, Blitz, GML) so the syntax is not very "new" to me. The real reason i hate clientside scripting is because it's such a hassle making it safe. But thats why we use PHP(or ASP or any other server side language) as a backend to dubble check it.
I should really digg into Obfuscation, together with that and PHP as backend seams like it's a LOT "safer".

It's like that Valiadation form i made with AJAX. First it checks everything localy(JavaScript) this is because i don't want to contact the server if i dont need to. AFTER it validates Clientside it sends with AJAX the data to the PHP backend to check that the data sent haven't been modified.

Qunox wrote:It's like that Valiadation form i made with AJAX. First it checks everything localy(JavaScript) this is because i don't want to contact the server if i dont need to. AFTER it validates Clientside it sends with AJAX the data to the PHP backend to check that the data sent haven't been modified.

Exactly. Anything on the clientside is just for user convenience, and maybe to save you a few kilobytes here and there. The backend just chugs away as if the clientside validation never happened.

Qunox wrote:Well can't the user save the page localy, edit the JavaScript and run it from the desktop?(With modyfied pages)? I'm asking since i really don't know.
As far as the source code i guess a obfus is the solution...just need too get it to work xD

eh kinda. Like in my game probably not. I require so much server side interaction that the end user would get nothing out of it.

You are worrying too much about this. You don't think you can play with the code in any C++ games? Java? Darkbasic? Blitz? There are hosts of programs out there that decompile programs and all people to see the source. Look at the server emulators.

I listed a ton of them, if people want your code bad enough they will figure it out. It's all about what happens on the server, the client side should just ask the server nicely to process something and then do what its told when it gets the chance.

For example, how MMO servers work:

Player inputs commands, server gets the input from the client. Determines if movement was logical/illogical and even Remotely Humanly possible. After that it tells the client how it should continue.

If it wasn't valid then it will take whatever action deemed appropriate. CS servers look at distance traveled compared to maps and location on maps to determine if a player speedhacked or wallhacked their client (or is sending packets with hacked data). Some other servers compare accuracy and precentages to determine if people have aimhacks.

Why? Because they know people are going to hack the client, developers understand that there are people malicious and intelligent enough to circumvent their hard work. So they trust no one.

---

From there your options are:
No Javascript (thus rather lame presentation) and super secure backend.
Javascript (thus nice presentation) and super secure backend.

Regardless you are going to have to super secure your back-end, tossing out illegal data is your only real protection for developers. Because I guarantee that if your work is popular enough people will find a way to compromise it regardless of what you try. (Trufax: This is why DRM is destined to fail)

And even then, someone is just going to figure out how to emulate your server.

Well i guess your both right going high over heel to secure JavaScript might just be overkill since well since i put all important things in my backend PHP.
Well doing Emulators is not so much decompiling anything really(Well client to allow custom connection and any Hacking guards.). It's more sniffing and decrypting packages and coding
and guessing a lot.

Thanks you all for your replys

Decompile or just generally crack the clients (depending on how they are made) Servers have to -obviously- be reverse engineered. Unless of course, someone does some RL Hacking

By extreme coincidence, this was just discussed on Stackoverflow:

http://stackoverflow.com/questions/3168 ... javascript

Lol i love how there is like 5 different subjects asking for Ajax tutorials but yeah from my experiences most tutorials all focus on just one thing and I used w3 schools and they were definitely the most helpful