I had been using a video game website. You will find some event which call a javascript function and also the function possess some action with callback.

something similar to this,

 <input type="button" onclick="changeSomething"/>


 function changeSomething() {
         /// some call back, which changes something 
 }

now anyone who knows it can refer to this as changeSomething in the address bar from the browser, that we don't want.

Most unlikely that a person is going to do it, but I wish to take.

Can there be anyway to avoid situation such as this ?

Thanks.

P.S. I attempted, but nonetheless unsure whether I described rid of it enought. Please tell me if you're not getting something.

You won't ever have the ability to get 100% protected against any technique you attempt. It is a losing game.

With that said one method to get nearer to your ultimate goal would be to take away the onclick attribute altogether, and bind your click handler (ie "changeSomething") via javascript:

html:

<input id="foo" type="button" />

js:

addEvent(document.getElementById("foo"), 'click', function() {
	/// some call back, which changes something
})

The callback becomes anonymous then (eg there's no "changeSomething" function any longer). These evil customers can't refer to it as directly if they do not know its title!

You will find still ways for this technique too, but we will not mention individuals lest we provide the evil doers ideas :)

(BTW addEvent is simply a sample library function for adding event handlers. I am sure you can get one. Otherwise here you go.)

I dont believe that there's anything that you can do relating to this. The customer can run anything they want inside their own browser. The only real factor to complete is validate everything around the server side. It is really an important concept in most web programming. Client side code could be freely modified and really should be treated being an additional check to quicken things as opposed to a security method.

You need to handle this on whatever back-finish you have accepting the request. Presuming you simply provide the user the choice to doSomething() upon certain conditions, you most likely have these details within the database (or whatever).

Don't be concerned concerning the JavaScript being known as (not a way around it), and perform the same check you probably did around the front-finish around the back-finish. By doing this you can just ignore acquiring your front-finish, because you can't anyway... yet you'll still prevent malicious customers from doSomethinging once they aren't designed to.

Tell me if you want further clarification of what i'm saying, but I'll require more particulars by what your application architecture is much like.

Any "solution" is going to be as efficient as crippling right-click in Web site... For that latter problem, I discovered a minimum of twelve of workarounds, including viewing the page in Opera!

Should you disable this, you will workaround with Firebug, Greasemonkey, as well as some proxy modifying HTML quickly, as well as utilizing a local copy from the page, etc.

You should check the origin from the click by passing an ID:

<input id="good' type="button" onclick="changeSomething(this.id)"/>

 function changeSomething(myId) {
   if(myId!='good') {
    return;
  }

 //......code
}

Modified to:

<input id="good' type="button" onclick="changeSomething(this)"/>

     function changeSomething(myId) {
       if(myId.id!='good') {
        return;
      }

     //......code
    }