Re: : javascript total

On Sun, Mar 18, 2007,  brian wrote:

>I'd add that if this has anything to do with tallying
up, say, the price 
>of something (as your subject line suggests), i'd not
update the value 
>of a text field, as this can be fiddled with. Better to
update the text 
>value of some node in the DOM that the user cannot write
to themself.


Oooh.  Good point.  Hadn't even considered that
possibility.

I guess, as well as the text field,  I will have to set an
unmodifiable
variable, and use that var as the value for computation.


thanks for the responses, guys.  Javascripting is new to
me... this work
has been a revelation!

--
later, 
      John Snippe

+-----------------------------------------------------------
-----------+
  more info about webdesign-l: http://webdesign-L.com/
               to unsubscribe: http://w
ebdesign-L.com/mailman/listinfo/list
  If you had read the list policies: http://webdesign-L.c
om/policies/
 you'd know not to "top post": http://en.wi
kipedia.org/wiki/Top-posting
     That means that if this line here is in your reply, you
lose.

John Snippe wrote:
> On Sun, Mar 18, 2007,  brian wrote:
> 
> 
>> I'd add that if this has anything to do with
tallying up, say, the
>> price of something (as your subject line suggests),
i'd not update
>> the value of a text field, as this can be fiddled
with. Better to
>> update the text value of some node in the DOM that
the user cannot
>> write to themself.
> 
> 
> 
> Oooh.  Good point.  Hadn't even considered that
possibility.
> 
> I guess, as well as the text field,  I will have to set
an
> unmodifiable variable, and use that var as the value
for computation.
> 
> 
Hmm ... keep in mind, though, that javascript is entirely
available to
the user. If your application will be sending some value to
the server
DO NOT TRUST THAT VALUE.

That is, your summing calculations should be for the user's
benefit 
ONLY. If your form is going to send any values to the
server, have some 
script redo the calculations there, based on trusted values
from that 
script. Never rely on anything that the client passes to the
server, 
excepting *what* they're ordering, say.

You didn't specify exactly what you want to achieve, but,
based on your 
statements so far, i'm guessing it's something like this:

Your application lists several choices for the user, each
with a 
different price (or lists regions, to calculate taxes). The
user makes a 
choice, and the javascript updates a "total"
field. The user submits the 
form, where it is processed on the server.

However, it's trivial to submit one's own values to a server
(whether 
it's via GET or POST). As i suggested earlier, relying on a
value that 
the user can change in a text field is bound to get you into
trouble. 
But, if you also rely on a "hidden" value inside
your javascript, that, 
too, can be seen and adjusted.

Just something to think about if you're new to scripting.
I'm just 
assuming the worst here, in case it hadn't occurred to you.


PS: in terms of updating some element with the newly
calculated value, 
look into DOM scripting, specifically adding new--or
updating the text 
values of--elements on the page. You could place an empty
div in the 
spot where that text field was going to be, give it an ID
('the_id') and 
change it's value thusly:

document.getElementById('the_id').nodeValue = your_value;

Another thing to watch out for is that numbers are often
passed as 
strings (this bit me yesterday, actually). Whenever grabbing
values from 
an element or one of it's attributes that you want to do any
math with, 
call parseInt() (or parseFloat) on it.

HTH
b

+-----------------------------------------------------------
-----------+
  more info about webdesign-l: http://webdesign-L.com/
               to unsubscribe: http://w
ebdesign-L.com/mailman/listinfo/list
  If you had read the list policies: http://webdesign-L.c
om/policies/
 you'd know not to "top post": http://en.wi
kipedia.org/wiki/Top-posting
     That means that if this line here is in your reply, you
lose.