Hacking Prevention

Question

I have a javascript variable saved on page load which i will use later. Is it possible for a user to change this variable. I'm trying to figure out a way to, when a user inputs something, make an ajax post, and return a couple of values.

initialize() is fired when loads so the variable quantity is obtained fairly soon into page loading.

function initialize() {
    quantity = parseInt(document.getElementById('shipping_quantity').value);
}

I then retrieve the shipping rate by querying a db with state for rate.

getRate(){
    var rate = '';
    $.post('getrate.php', {state: state}, function(data){
        rate = parseInt(data);
        $("input#shipping_rate").val('$' + rate);

Here is the getrate.php

<?
include_once ('includes/config.php');
$state = "OK";
if(isset($_POST['state'])){ $state = $_POST['state'];}
$con = new PDO( DB_DSN, DB_USERNAME, DB_PASSWORD );
$st = $con->prepare( 'SELECT rate FROM freight WHERE administrative_area_level_1 = :state' );
$st->bindParam( ':state', $state, PDO::PARAM_STR, 2 );
$st->execute();
$row = $st->fetch();
$rate = $row['rate'];
echo $rate;
?>

And how the shipping total is processed happens on the last part of the getRate() function

    var total = (rate * quantity);
    $("input#shipping_total").val('$' + total);
});

When I put it all together it works, but I'm concerned that the quantity may be able to be changed before the total gets calculated.

I'm considering making the shipping form post and return to itself after calculating in a functions php the shipping rates.

The example I'm looking at.

Shopping Cart Tutorial

Answer 1

You just need to make sure you have the Javascript send any prices back to the server that get used. That way, if someone does change them, it doesn't matter.

Your server will need to look up the price one time to show the user how much it is and then another time, when they submit the order, to figure out the total to bill them (or their credit card).

That way you control the price and you don't have to care if the user fools with it.

Answer 2

Is it possible for a user to change this variable.

Probably, but more importantly, you essentially can't trust any information sent to you from the client. "Trust, but verify" I believe was the phrase... So in addition to anything you do client-side for convenience or UI, you must double-check it server-side.

Specifically in your case, you said you have:

function initialize() {
    quantity = parseInt(document.getElementById('shipping_quantity').value);
}

As written, that seems to either rely on a global quantity variable or, worse, create one via The Horror of Implicit Globals. In either case, yes, it's trivially easy for the user to change it. They can open the JavaScript console and type:

window.quantity = 42;

and press Enter.

You can defend against that and make it slightly harder by putting all of your code in a scoping function:

(function() {
    // Your code here, e.g.:

    var quantity = 0;

    function initialize() {
        quantity = parseInt(document.getElementById('shipping_quantity').value);
    }

    // ...and so on
})();

That at least prevents it being a global and being quite so easy to modify. But it's still really easy, all they have to do is use any modern browser, open the Dev Tools, put a breakpoint in the code, and when the breakpoint is reached, modify the value of quantity.

Using a scoping function is a good idea anyway, because globals are generally bad news. It does mean, though, that if you use old-fashioned onXYZ attributes to hook up event handlers, you have to switch from doing that to using DOM methods (or as you use jQuery, its on function and such) instead, because onXYZ attributes can only call functions accessible from global scope.