Hi

Me and a friend are setting up a riddle website, and we need a safe way of encrypting the answers. We want to use javascript because we don't know php or msql. We thought about ascii encryption with a keyword, but that would mean putting the keyword in the source, any ideas, I can do basic stuff, but nothing complicated!

Thanx

Mike

There is no real safe way with client side languages but you can always try and put people off my making it difficult for them.
For instance, you could include your js inside a separate .js file and there are some encryption programs out on the web that you can use to encrypt your js with, (I don't know where there are but if you do a search you should turn something up).
Little things like that will mean that 99.9% of people won't even try to decode the answers to your quiz and the remaining 0.1% need to get a life, badly.

Little things like that will mean that 99.9% of people won't even try to decodeActually, I think this is quite the opposite. For many people experienced with JavaScript, mediocre security schemes represent a challenge rather than a barrier. They will attempt to break it simply because it is there, even if the information it protects is of no value to them.

However, if you never display the actual answer but only need to check if what the user input was correct or not then you can use a one-way hash function, also called a message digest. SHA-1 and MD5 are the best choices for this type of function. You can find JavaScript libraries for these functions at http://pajhome.org.uk/crypt/md5/.

So you'd try and break someone's best efforts to hide data from you? Oh well then it must be just me that's strange then.

Ok, I think i'll use the crypto reccomended by Jeff Mott....but I can't work out how to get it to do a pass or simelar.

I'm looking to do something like this:

<form method="get" name="form1">
<input type="text"><input type="submit" onSubmit="

if (form1.value == 'what i want to encrypt)
{
alert('well done')
};

document.href='locationnew.html';">

What I want to know is

1) Is the above code right?
2) How do I encorperate the encryption into that?

Mike

Originally posted by lavalamp
So you'd try and break someone's best efforts to hide data from you? Oh well then it must be just me that's strange then. Why should that be strange? Security should never be based on the assumption that "if you do your best, people will leave it alone." Also, as Jeff stated, those interested in security (or obtaining the data that is hidden -- though I'd guess a large percentage of the time, they really won't care what data is hidden. It's just the fact that it is...) may/will try to break it, to see how it was encrypted, and if they can break it.

I realise that there are people out there that will try and access encrypted/protected data that they shouldn't have access to, and that some may do it for money or other personal gain.
All I am saying is that, even if I could, I wouldn't go around doing it for fun.

if (hex_sha1(document.getElementById('some_text_box').value == '0a49502e4e64f0909fd4faaab12f4f056e7d99ae')
; // correct
else
; // incorrectIn this example the condition will return true if some_text_box was "W3C". As you might guess, the hex string is the SHA-1 encrypted version of "W3C". You will have to calcualte this string and hard code it into your script. The link I provided earlier has an input and result field to calculate the hashes for you.

even if I could, I wouldn'tThat's fine. I was only saying that there are still many who do. And so I believed your 99.9% figure, which was your basis for evaluating other shoddy security systems, to be inaccurate.doing it for funThere is a difference between something that is fun and something that is intellectually engaging. For example, would you consider what you're doing now as fun? Sitting at a computer posting/reading messages about Web development?

Ok, I have used the example of w3c, and i have put the script src that you have to in the head, and my code looks like this:



form name="form1">
<input name="some_test_box" type="text" id="some_test_box">
<input type="submit" name="Submit" value="Submit" onClick="

if (hex_sha1(document.getElementById('some_text_box').value == '0a49502e4e64f0909fd4faaab12f4f056e7d99ae')
{alert('yes')};

// correct

else
{alert('no')};

// incorrect">
</form>



But it doesnt do anything, even reject my wrong answers!

I don't consider it boring. I like helping people when I can, surely that's a good enough reason to be here.

Also I notice that in this line:

if (hex_sha1(document.getElementById('some_text_box').value == '0a49502e4e64f0909fd4faaab12f4f056e7d99ae')
{alert('yes')};

You have one more set of brackets to close, like this:

if (hex_sha1(document.getElementById('some_text_box').value == '0a49502e4e64f0909fd4faaab12f4f056e7d99ae'))
{alert('yes')};

Do you have a function that encrypts what the user entered in the text box? Because if not, then of course what the user entered will be wrong.

I don't consider it boringI know. That was the point.You have one more set of brackets to close, like this:
if (hex_sha1(document.getElementById('some_text_box').value == '0a49502e4e64f0909fd4faaab12f4f056e7d99ae'))
{alert('yes')};You put the parenthese in the wrong spot though ;)if (hex_sha1(document.getElementById('some_text_box').value) == '0a49502e4e64f0909fd4faaab12f4f056e7d99ae')
{alert('yes')};Sorry, though. This problem was my bad. I noticed I had the same missing parentese in the example I gave.

I didn't actually read the code, I just assumed that the closing bracket would go before the opening brace. My bad too, except that because I'm English it was my mistake too.