JavaScript Is there any way to prevent Javascript changing things without site permission?

[JosiahMaybe]

So I may have worked out a secure way to sell except that in like my site hackers may be able to bypass like my selling logic. I would do custom country check in Javascript using navigator.geolocation, prefill paddle.com checkout with Javascript. paddle.com checkout starts in Javascript and after that there is paddle.com and then there is a web hook to a PHP script upon purchase. I plan for prefill country, region, and email and having custom_data hold email and a customer generated password so like my end PHP script can use both of those. Like my problem is that Javascript in console can be run and possibly make a purchase without like my code prefilling so custom country check not happened.

I prefer having that custom country check because places like Greenland and others have it like I am not copyright protected. It is harder to fake country when you must be in it to purchase. I have heard that there may be a way to restrict scripts being run on a web site. Is that true and if so, how? paddle.com checkout opens from Javascript. I can probably write most of like my code to be disappearing but what good would that do? I can close checkout once it opens and some things are near impossible to remove, like a listener in paddle.com checkout from starting it or setInterval code. If I could at least make this semi-secure would be good. It would be paddle.js and its checkout procedures I would be using.

Like my plan currently is have a setInterval code that does both custom country check and paddle.com checkout opening or if not checked adequately, close checkout, and also have that paddle callback thing only allow opening if all is prefilled and correct. In this way I think I can be mostly secure about this, but do I need that and can I just like ban console usage? This is like my one possible flaw in like my selling plan but I seem to have nearly fixed it already. I still would prefer a review or a better option possible maybe.

Assume I have complete within reason control over like my web site and running environment but I may use a shared hosting for cost. X E.

 

[Antero360]

So I may have worked out a secure way to sell except that in like my site hackers may be able to bypass like my selling logic. I would do custom country check in Javascript using navigator.geolocation, prefill paddle.com checkout with Javascript. paddle.com checkout starts in Javascript and after that there is paddle.com and then there is a web hook to a PHP script upon purchase. I plan for prefill country, region, and email and having custom_data hold email and a customer generated password so like my end PHP script can use both of those. Like my problem is that Javascript in console can be run and possibly make a purchase without like my code prefilling so custom country check not happened.

I prefer having that custom country check because places like Greenland and others have it like I am not copyright protected. It is harder to fake country when you must be in it to purchase. I have heard that there may be a way to restrict scripts being run on a web site. Is that true and if so, how? paddle.com checkout opens from Javascript. I can probably write most of like my code to be disappearing but what good would that do? I can close checkout once it opens and some things are near impossible to remove, like a listener in paddle.com checkout from starting it or setInterval code. If I could at least make this semi-secure would be good. It would be paddle.js and its checkout procedures I would be using.

Like my plan currently is have a setInterval code that does both custom country check and paddle.com checkout opening or if not checked adequately, close checkout, and also have that paddle callback thing only allow opening if all is prefilled and correct. In this way I think I can be mostly secure about this, but do I need that and can I just like ban console usage? This is like my one possible flaw in like my selling plan but I seem to have nearly fixed it already. I still would prefer a review or a better option possible maybe.

Assume I have complete within reason control over like my web site and running environment but I may use a shared hosting for cost. X E.

You don't necessarily need js in order to get location. Since you're using php, I suggest looking at these suggestions:

Get a user's current location

How can I determine a user's current location based on IP address (I guess it works this way).

stackoverflow.com

I've used similar logic in C#.NET for my applications, works rather nicely.

 

[JosiahMaybe]

You don't necessarily need js in order to get location. Since you're using php, I suggest looking at these suggestions:

Get a user's current location

How can I determine a user's current location based on IP address (I guess it works this way).

stackoverflow.com

I've used similar logic in C#.NET for my applications, works rather nicely.

Yes there is that and PHP but that is only IP tracking and navigator.geolocation is more accurate. Thanks for that though. Maybe I should do an IP test and output it to Javascript to be used if it is with correct country. Instead of setInterval, which I found can be shut off, I may do like separate PHP site for buying, only initialize paddle.com checkout after custom country check, and as paddle checkout closes so closes window with it. Also checks for correct things in paddle checkout and that PHP check, no updating checkout and IP check and navigator.geolocation check must match. With that IP check, only output HTML and JS when correct country.

Is there any way I can get this like free some? Like weatherapi.com has IP lookup and navigator.geolocation lookup free for 1 million a month but how can I call a IP lookup web site from PHP if I can? I guess with that 500 thousand successes a month possible and I can pay for more.

I looked at that IP thing and it has free IP look up but HTTP not HTTPS but do I need HTTPS if I am on a HTTPS site and need HTTPS secure for navigator.geolocation? I could use weatherapi.com with HTTPS but am unsure if and how I can do this.

I found ip2c.org so now all I need is how to call a web site for response in PHP. It has unlimited per time IP lookups and is free. X E.

 

[Antero360]

Yes there is that and PHP but that is only IP tracking and navigator.geolocation is more accurate. Thanks for that though. Maybe I should do an IP test and output it to Javascript to be used if it is with correct country. Instead of setInterval, which I found can be shut off, I may do like separate PHP site for buying, only initialize paddle.com checkout after custom country check, and as paddle checkout closes so closes window with it. Also checks for correct things in paddle checkout and that PHP check, no updating checkout and IP check and navigator.geolocation check must match. With that IP check, only output HTML and JS when correct country.

Is there any way I can get this like free some? Like weatherapi.com has IP lookup and navigator.geolocation lookup free for 1 million a month but how can I call a IP lookup web site from PHP if I can? I guess with that 500 thousand successes a month possible and I can pay for more.

I looked at that IP thing and it has free IP look up but HTTP not HTTPS but do I need HTTPS if I am on a HTTPS site and need HTTPS secure for navigator.geolocation? I could use weatherapi.com with HTTPS but am unsure if and how I can do this.

I found ip2c.org so now all I need is how to call a web site for response in PHP. It has unlimited per time IP lookups and is free. X E.

I would like to point you to this article:

Browser geolocation and geocoding

OpenCage guide to using browser geolocation and geocoding to determine a website visitor's location with detailed javascript tutorial

opencagedata.com

more specifically, to the highlighted section

 

[JosiahMaybe]

Yes it can be inaccurate but it is better than nothing. I find IP lookup low accuracy but only way to be certain a location search was done. With navigator.geolocation it may be more accurate but unsure if I can be sure it is run. Anyway, looking into PHP IP lookup services and still unsure how to be sure that Javascript check is included before purchase. I can also check navigator.userAgent although that is spoofable too. Anyway, no way to be sure but better than nothing.

I found there are VPN, proxy, and other spoof technique detecting softwares available so I may still get an accurate thing if I ban VPN and similar technologies programmatically. PHP is like most secure way to do this so all I need now is how to call a URL from PHP and I can probably find that. It is standard to have 1,000 calls a day allowed free. Maybe a combined spoof detector and IP lookup would work for this.

file_get_contents($url);

That in PHP to get URL contents in PHP. This can work. Maybe not 100% unspoofable but what is? Anything has a small chance of being hacked and thanks to you, like my chances of being hacked are smaller. X E.

 

[JosiahMaybe]

So basically like my plans now are PHP start page, ban VPNs proxies and TOR programmatically, check IP address, if correct country output some Javascript to get geolocation, use a form to input back that data to PHP to be checked for country, if both countries match in PHP, output script that initializes paddle.com checkout and opens it and have a Javascript callback to prevent fishy stuff and close window when done. Start point would be another site initiating with correct stuff for purchase, password, email, and postal/zip code where applicable. after all that I have an endpoint that receives purchase data and saves it to a database for code distribution.

With that I can't secure Javascript to certainly be run but PHP can certainly be run so use that for certainty. Use weatherapi.com with both calls to translate to country. With these ways I can be nearly certain that a custom country check happens although it does require 2 calls. I would be using POST and a form to put data back to PHP locally.

With these things I have reasonable certainty that a custom country check happens. I may also use POST again for paddle checkout events and checking. If anything is wrong with that feel free to inform but I consider this answered now. X E.

 

[Antero360]

So basically like my plans now are PHP start page, ban VPNs proxies and TOR programmatically, check IP address, if correct country output some Javascript to get geolocation, use a form to input back that data to PHP to be checked for country, if both countries match in PHP, output script that initializes paddle.com checkout and opens it and have a Javascript callback to prevent fishy stuff and close window when done. Start point would be another site initiating with correct stuff for purchase, password, email, and postal/zip code where applicable. after all that I have an endpoint that receives purchase data and saves it to a database for code distribution.

With that I can't secure Javascript to certainly be run but PHP can certainly be run so use that for certainty. Use weatherapi.com with both calls to translate to country. With these ways I can be nearly certain that a custom country check happens although it does require 2 calls. I would be using POST and a form to put data back to PHP locally.

With these things I have reasonable certainty that a custom country check happens. I may also use POST again for paddle checkout events and checking. If anything is wrong with that feel free to inform but I consider this answered now. X E.

May want look into this jQuery plugin.

GitHub - manuelbieh/jQuery-Geolocation: jQuery plugin which acts as a simplification of the W3C Geolocation API

jQuery plugin which acts as a simplification of the W3C Geolocation API - manuelbieh/jQuery-Geolocation

github.com