我有计划创建一个测验应用程序,在测验应用程序中,我保持数据更好,这意味着如果我已经将数据存储在服务器端的内存或数据库方式,同时发送数据到客户端,在http响应的答案是能够看到哪些导致json劫持利用该应用程序。如何使用angular with webapi或mvc处理Quiz应用程序中的安全问题?
如果不想在客户端显示答案怎么可以处理?哪个更好的方法在性能方面。 eg) 如果我有5个问题,他们已经回答了5个问题,最后有完成按钮,同时点击完成按钮,发送到服务器端,以及如何将分数显示给客户端。
其他
2)对于每个回答请求时,必须检查它在服务器端是更好?
否则还有其他方法可以做。
方法1:
public JsonResult QuizQuestionAns()
{
List <Questionsoptions> obj = new List <Questionsoptions>();
obj.Add(new Questionsoptions
{
Question = "What is 12+20?", OpA = "21", OpB = "32", OpC = "41", Ans = "B"
});
obj.Add(new Questionsoptions
{
Question = "What is 12+12?", OpA = "10", OpB = "12", OpC = "24", Ans = "C"
});
obj.Add(new Questionsoptions
{
Question = "What is 12+24?", OpA = "36", OpB = "24", OpC = "12", Ans = "A"
});
return Json(obj, JsonRequestBehavior.AllowGet);
}
角:
$http({
method: 'GET',
url: '/someUrl'
}).then(function successCallback(response) {
///反应得到的答案 //攻击
}, function errorCallback(response) {
});
外部JSON:
**如果我将问题存储在Json中,它的安全程度如何? **
$http({
method: 'GET',
url: '/someUrl'
}).then(function successCallback(response) {
// In the response we will get the object and attack
}, function errorCallback(response) {
// called asynchronously if an error occurs
// or server returns response with an error status.
});**
**
方法3:
如果它存储在里面的应用程序对象,还可以在客户端看到的。
如何在没有在客户端看到答案的情况下制作更安全的测验应用程序。
下面的例子中存储了数组中的问题和答案:任何人都可以看到它。
angular.module('quiz.service', []);
angular.module('quiz.directive', []);
angular.module('quiz.filter', []);
angular.module('quiz', ['quiz.service','quiz.directive','quiz.filter']);
var QuizController = function($scope){
"use strict";
$scope.questions = [
{"questionText": "Why is the sky blue?", "answers": [
{"answerText":"blah blah 1", "correct": true},
{"answerText":"blah blah 2", "correct": false},
{"answerText":"blah blah 3", "correct": false}
]},
{"questionText": "Why is the meaning of life?", "answers": [
{"answerText":"blah blah 1", "correct": true},
{"answerText":"blah blah 2", "correct": false},
{"answerText":"blah blah 3", "correct": false}
]},
{"questionText": "How many pennies are in $10.00?", "answers": [
{"answerText":"1,000.", "correct": true},
{"answerText":"10,000.", "correct": false},
{"answerText":"A lot", "correct": false}
]},
{"questionText": "What is the default program?", "answers": [
{"answerText":"Hello World.", "correct": true},
{"answerText":"Hello Sunshine.", "correct": false},
{"answerText":"Hello my ragtime gal.", "correct": false}
]}
];
$scope.answers ={};
$scope.correctCount = 0;
$scope.showResult = function(){
$scope.correctCount = 0;
var qLength = $scope.questions.length;
for(var i=0;i<qLength;i++){
var answers = $scope.questions[i].answers;
$scope.questions[i].userAnswerCorrect = false;
$scope.questions[i].userAnswer = $scope.answers[i];
for(var j=0;j<answers.length;j++){
answers[j].selected = "donno";
if ($scope.questions[i].userAnswer === answers[j].answerText && answers[j].correct===true){
$scope.questions[i].userAnswerCorrect = true;
answers[j].selected = "true";
$scope.correctCount++;
}else if($scope.questions[i].userAnswer === answers[j].answerText && answers[j].correct===false){
answers[j].selected = "false";
}
}
}
//console.log($scope.answers);
};
};
我可以使用JSON填充,以避免这种情况?有没有其他方法可以预防?
如果您不希望用户看到答案,则绝不能将它们发送给客户端。 – SLaks
我已经实施了一个类似于这个测验应用程序的副项目。有很多方法可以做到这一点,但一种方法是在用户提交答案后,服务器返回哪一个是正确的答案*。在回答问题之前,您无法以任何形式或形式将答案发送给客户。即使在某些应用程序中,您也绝不会发送它,而只是在最后显示一个分数。 – juunas