While I have a suspicion that there isn't a way to make a completely untouchable JSON object in a web application, I was wondering if any of you had ways to maintain a global JSON object that could not be altered using developer tools' consoles. I know that calling this a "private" variable isn't the most accurate description but the restrictions that a private variable in OO languages are basically what I would like to have applied to my JSON object.
I have an application that I am developing that would benefit from keeping a savvy user from interacting with the object that I'm using for storing data in the Javascript file.
Any suggestions on how to approach this开发者_StackOverflow社区 would be appreciated.
If your Javascript is running in a browser, it's vulnerable to manipulation. There is no way around that. Put any truly private data on the server side and use AJAX to access it from your Javascript.
Actually you can have "private" variables in javascript and getter method to acces them:
you can do:
function privateData(){
var _myVariable = 1;
return {
getData: function(){
return _myVariable;
}
}
}
var myObject = privateData();
myObject._myVariable; //it's undefined
myObject.getData();//returns 1
In this example the variable _myVariable is not accessible in the browser and not modificable by the user in any way because it's local scope is inside the function. Your function returns an object that can access that variable because, by returning an object, you create a closure.
In this case getData is a property of the returned object and can access _myVariable because it's local scope is that of function privateData.
I reccomend the books:
- Object Oriented Javascript and Javascript patterns by Stojanov
- Javascript: the good parts by Crockford
for some advanced javascript tecniques
This article from Douglas Crockford http://javascript.crockford.com/private.html may help.
Remeber though, as soon as code hits the client machine, it's under their control. So don't use this as any type of security.
Your best bet is encrypting the data or giving it some sort of integrity key. An integrity key would be a server side generated hash of some of the data plus a salt that you would check against on the server on a round trip.
Encrypting the data will help avoid modification on the client side; an integrity key would help avoid modification on the client side that gets pushed to the server.
What you are asking can not be done unless the browser/engine support const
If it properly closed, then it wont be able to be modified as easily (but still can be if the hacker is really good at their job)
I don't think it's possible to keep people from changing an object that you've constructed in javascript.
You could store a hash of the data and verify the hash is still correct whenever you use the data from the object, but that would just make it harder for a savvy user to change the object, not impossible. (Security by obfuscation, isn't really security, at all.)
The top answer is wrong, since everyone can redefine any function with the developer tools, and also inspect the source code. The idea is that everything within your frontend files is totally accessible and manipulable. The only thing you can do is to store the object in a JSON or txt file and get it with Ajax. You can get it once and make it globally available. Nonetheless, someone, although they can't see the structure and the content of your JSON file, they can guess it by inspecting the functions you invoke with the object as a parameter. But this would require a lot of work and time, and nobody would be interested in doing it, unless you object contain some private information, like passwords.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论