Mathematical Calculations

[EastCoastRider]

I have a quiz to be used in an e-learning package built with html form check boxes, radio buttons and text boxes. The answers submitted are captured and calculated using JS and all is working fine but there is one consideration. Anyone that has any computer sense can look in the source code and get the answers. Can the calculations be put on a separate page and then a reference used without server side technology

Any suggestions would be appreciated.

 

[feherke]

Hi

Anyone that has any computer sense can look in the source code and get the answers. Can the calculations be put on a separate page and then a reference used without server side technology

And how would that help ? If it is client-side code, must be accessible for the browser. What is accessible for the browser, is also accessible for any other tool.


Feherke.

http://free.rootshell.be/~feherke/

 

[IPGuru]

You could encrypt/decrypt yout answers in rthe javasript
that wouldnt stop someone geting the answer from the source but would make it more dificult, or you could use an HTTPRequest (see ajax) to open a document on the server that has the answers, again there is not much to stop a determined cheat form downloading this page so encryption and obsfucation would be needed.

realisticaly the marking routines are better suited to server side code.

I do not Have A.D.D. im just easily, Hey look a Squirrel!

 

[EastCoastRider]

Thanks to both of you for your prompt replies. I guess I should have been a bit clearer. The people that will be using this are far from IT gurus and geeks but just about everyone knows how to look at source code. It isn't a huge concern, I was just looking for options. Might look at encrypting.
Thanks again.


I like the wind in my face and the world in my rear view mirror.
Kathy

 

[EdwardMartinIII]

This is how I'd do it:

I'd make my quiz a pop-out page with all the questions. On that pop-out, the form ID names are long and complex strings of alphanumerics.

They answer the questions, and then hit [submit].

The returning page uses those answers, calculates the results, and displays them by building a page in PHP on-the-fly.

The user sees the PHP page and not the code that actually built it.

Your information isn't formally coded, but basically hidden through obfuscation.


Edward

"Cut a hole in the door. Hang a flap. Criminy, why didn't I think of this earlier?!" -- inventor of the cat door

 

[EdwardMartinIII]

Hm. This really IS a good excuse for a web app or some other server-side tech. Too bad that's not an option.


Edward

"Cut a hole in the door. Hang a flap. Criminy, why didn't I think of this earlier?!" -- inventor of the cat door

 

[EastCoastRider]

Yea - This all started to be a web app and I was using server side technology but the client's web host is unable to accomodate the dynamic pages. Has something to do with folders that he assigns to clients. I don't know. The end result is that my client has asked to have the e-learning programs on CD, So I changed from PHP to Html and JS.
Can I use PHP in a client side only environment?

I like the wind in my face and the world in my rear view mirror.
Kathy

 

[EdwardMartinIII]

Can I use PHP in a client side only environment? "

Hm, now, I think maybe not.

You might have to hide-through-obscurity.

It bears repeating that at this stage of the game, you might want to notify your client that if the only available technology is client-based, then hiding the answers might be a lot harder.

Another option, if it's only your host that's causing trouble, is to host your APP somewhere else, and have your form call the app from the OTHER server.


Edward

"Cut a hole in the door. Hang a flap. Criminy, why didn't I think of this earlier?!" -- inventor of the cat door

 

[mmerlinn]

[ ]

You say you are using JS to do the calculations. What you did not say is whether that JS is embedded on the page or is in a separate file.

If it is embedded, you are correct, almost everyone knows how to view the source code of an HTML page.

However, if your JS is in a separate file, you have a tiny bit more security as not everyone knows how to view the source of your detached JS file. And there are probably ways that you can obfuscate the address of the JS file on your HTML page to make it even harder to find.

mmerlinn

http://mmerlinn.com

Poor people do not hire employees. If you soak the rich, who are you going to work for?

"We've found by experience that people who are careless and sloppy writers are usually also careless and sloppy at thinking and coding. Answering questions for careless and sloppy thinkers is not rewarding." - Eric Raymond

 

[feherke]

Hi

Can I use PHP in a client side only environment?

My question is again : "And how would that help ?"

If it is on client side, anybody on the client side can read it. Being written in JavaScript or PHP would make no difference.

However, there is one point that can make a difference : if the code is delivered as byte code not as source code, is harder to read. That could be Java applet or Flash animation. But note that for both there are excellent decompilers, many of them free.

However, if your JS is in a separate file, you have a tiny bit more security as not everyone knows how to view the source of your detached JS file.

In Gecko and WebKit browsers in the View source window the names of external files are links to those. So putting the JavaScript code in a separate file would move them just one click far.


Feherke.

http://free.rootshell.be/~feherke/

 

[EastCoastRider]

Hello

Quote (feherke):My question is again : "And how would that help?"

The security of the information is not that inportant. As I said, the users are not teckies and would not know how to dig very far or even think about it for that matter, but I don't want them to be able to see the answers as easily a looking at an answer sheet. It it is not possible to hide them altogether, then just obscuring them would probably be satisfactory.

Quote (mmerlinn):However, if your JS is in a separate file, you have a tiny bit more security as not everyone knows how to view the source of your detached JS file.

The JS is imbedded in the test page. My original question in this thread was whether or not I could put it on a separate page. This would probably work Ok for my purpose but I am afraid that I will need some guidance to do it.



I like the wind in my face and the world in my rear view mirror.
Kathy

 

[feherke]

Hi

So if you currently have something like this :

[red]<!DOCTYPE[/red] [maroon]html[/maroon][red]>[/red]
[b]<html>[/b]
[b]<head>[/b]
[b]<title></title>[/b]
[b]<script>[/b]
[b]var[/b] secret[teal]=[/teal][green][i]'foo'[/i][/green]
[COLOR=darkgoldenrod]alert[/color][teal]([/teal]secret[teal])[/teal]
[b]</script>[/b]
[b]</head>[/b]
[b]<body>[/b]
[b]</body>[/b]
[b]</html>[/b]

If you put the JavaScript in an external file would look like this :

[red]<!DOCTYPE[/red] [maroon]html[/maroon][red]>[/red]
[b]<html>[/b]
[b]<head>[/b]
[b]<title></title>[/b]
[b]<script[/b] [maroon]src[/maroon][teal]=[/teal][green][i]"script.js"[/i][/green][b]></script>[/b]
[b]</head>[/b]
[b]<body>[/b]
[b]</body>[/b]
[b]</html>[/b]

[b]var[/b] secret[teal]=[/teal][green][i]'foo'[/i][/green]
[COLOR=darkgoldenrod]alert[/color][teal]([/teal]secret[teal])[/teal]

If you want to add basic obfuscation, you can specify the critical parts as sequences of character codes :

[b]var[/b] secret[teal]=[/teal]String[teal].[/teal][COLOR=darkgoldenrod]fromCharCode[/color][teal]([/teal][purple]102[/purple][teal],[/teal][purple]111[/purple][teal],[/teal][purple]111[/purple][teal])[/teal] [gray]// <-- same 'foo' but less obvious[/gray]
[COLOR=darkgoldenrod]alert[/color][teal]([/teal]secret[teal])[/teal]

For somehow better obfuscation you could search for example for base64 encoder/decoder implementation in JavaScript.


Feherke.

http://free.rootshell.be/~feherke/

 

[EastCoastRider]

Just what I needed. Works great for my current need. Thank you. Case closed.



I like the wind in my face and the world in my rear view mirror.
Kathy