I am designing a site where it would be problematic if macros were allowed to run freely.

I have thought of a way to stop a macro made by simulating the HTTP requests from a button click but this would be in vain if they could insert javascript scripts which just "click" the button and proceed as a normal user would.

By simulating a button click, I mean, the button is pressed and the Form the button is in runs with the php code associated with it.

Logic tells me javascript can do this but I would like to know for sure, thank you for any input!

~Andrew

A button may be allways clicked programmatically. For example you may have some page with form like this:

<form>
    <input type="text" />
    <button>Do something</button>
    <input type="submit">
</form>

than it is possible just to open debug cosole and type

document.getElementsByTagName('button')[0].click();

which will click the button, or

document.getElementsByTagName('input')[1].click();

which will click the submit button of the form, or just

document.forms[0].submit();

to submit the form without clicking the button.

There is no way to prevent user from mastering JavaScript code on client. You have to add some validation on server side in order to prevent unwanted user actions.

the only thing you can do is validate the request on the server.

once you hand the page over to a client, you have no technical control over how it might be used.

What you can do for example, from:

Say you're making javascript game. You use AJAX to send the score of the player to the server for logging. After looking at the script, a malicious user could run your AJAX code to send a score of 1,000,000 even if they earned only 5,000.

You can't prevent this from happening on the javascript side. However, there should some way to authenticate AJAX requests on the server side, you might be able to pass a security "token" to javascript that a hacker couldn't get ahold of.