How to hide javascript variables to users?

Question

在子手游戏中，单词位于一个数组中，然后用户可以访问以下所有单词： http : //www.mygame.com/js/functions.js用户是否有办法看不到它们（不使用数据库）？

Answer 1

Basically no. As the code will run on the client side, the user always will have access to these values even if you obfuscate it. You can make it harder to the user to access it if you use some obfuscation method, but you definitely can't hide your data completely from him.

As an alternative solution, you could move this validation logic to your server and send your information to it in order to check if it is valid.

Edit : using a hash like MD5 or SHA1 as suggested in André's answer would be actually a smart move if you can't move the validation to the server. You could also add salt to protect it from the rainbow table vulnerability.

Answer 2

Best way on the client side

Use MD5 hashing!

General best bet

Let a backend handle the validation.

---

Alternatively

You could acquire them from the server. And load them directly into a Closure.

That way it won't be available as a public variable, and the words would be sent at the last possible minute. To add to it, you could obfuscate it, or let the back-end handle the validation.

var validate = (function(){
    var words;

    // some ajax code to load the words...

    return function(word){
         // loop through words to see if it is there.'
         return true;
    }
})();

And then add to that, some obfuscation, as the others have mentioned. This is probably as much as you can do, to make it a bit "harder", to get to. But no matter what, as long as you do the validation client side.

Answer 3

Obfuscation alone is not the answer, because that obfuscates variables, and what you're looking to do is encrypt the string within the variable. Strings don't obfuscate.

The best non-server-side validation answer I can give is this: You can manually encrypt the strings in any of several ways. One of the easiest ways to do so is to XOR each character in your string with some value (before putting it in the array, and then any time you want to reference the character). This will make the strings unreadable to users, but someone who reads the code will see what you're doing and could then work around it. Still, this plus obfuscation would take care of most of your issues - if someone wants to go to the extreme of deobfuscating and decrypting your code to cheat at Hangman , they have way too much time on their hands.

Answer 4

You could obfuscate the code. For example: http://www.javascriptobfuscator.com/Default.aspx

Answer 5

Your word needs to live on the server. This is not possible browser-only. You only need a database if you want users to be able to pause a game and finish later, but it's hangman, so that's probably not necessary.

Answer 6

Obfuscation is your best bet. If you require your game to run on the client's end, then everything needs to be available to them.

While you cannot completely protect your data, you can make it extremely difficult and tedious for someone to figure out what it is. I probably would just play the game the normal way if that were easier, unless valuables were at stake.

If someone really wanted to look up the answer, they will spend the time and effort to do so. If I had an audience of a million people, I see value in deterring 90% of them from trying to cheat.