I'm developing a quiz with which you can win a few cool prizes. Therefore I'm afraid, that someone might try to hack/manipulate it.
All participants have to be logged in and the website takes 15 questions from the db, gives them to Javascript, which paint's the quiz then. When a user finishes all questions or answer one false, the quiz makes an Ajax call to the backend and insert the points in the db.
To decide what answer (there are always 4) is correct, the quiz must know which one is correct. This data is provided as Base64 encoded string and then decoded in Javascript.
Question 1: Is this secure? Are there better ways?
Always when the quiz is started, I save the quiz id in the database. When the final Ajax call is made, I check for that id, I check if the given answers are the one associated with the quiz (and the order of them), I check a token (there is one in the session and one in Javascript, both generated based on the quiz and some salt values, they are generated using md5, sha1 and substr in PHP)
Question 2: Is this secure? Are there better ways? Did I miss something?
Aucun commentaire:
Enregistrer un commentaire