Basic hashed coupon discounts

 home page
randlib.js Code
std.css
(encryption tutorial)

Overview

If your page has things like passwords or coupon codes on it, you do not want those codes to be readable within your page, but they must somehow be verified when a user enters them. The question is what can we do client-side to hide those codes from a potential cheater, and still have the ability to verify his input, and do it in such a way that he cannot look at anything on the page to steal a valid code. This is exactly the sort of problem the cryptographic hash function was developed to handle. (See links at the bottom of the page.)

A cryptographic hash is basically an irreversible encryption of some data. The cheater may see the encrypted hash value in your verification table, and the code that produced it, but cannot figure out what the original input was. It is a one-way encryption of data.

In operation you would take the code you wanted to hide and run it through the hash function on your machine (locally). You would then take the output of the hash function and use that value to build the verification table within the page that interfaces with your customers. If a customer has a coupon code, for example, he would enter that code into your page, and we would run the code through the hash function, and use the output of the hash function to search through the verification table. If the hashed value of his entry does not match an entry in your table, then we would reject that coupon code.

The only thing within your page that the customer could ever see would be your verification table that contained hashed values, and he must input a code that is run through a hash function to match one of your hash values. The original coupon code appears nowhere on your customer page.

If you had two valid coupon codes for your page of coup1 and coup2, recall that in simpcoup.html that we would build a coupon code table in the JS containing those two values. The only difference will now be we take take those two codes and pass them through a hash function to get something like these two values - d7e9c9a0 and 4f2e9d6c. The coupon table now contains those two values, and when the user inputs a value, we run it through our hash function and take the output of it to compare with those last two entries in the table. Nowhere on your page is there a value of coup1 or coup2.

Here is an example of creating a hash value for any coupon value...

Input is any amount of text you can enter from a keyboard or paste (including <cr>, etc), and the output is hex representation of the characters of the hash. The length of the hash output in characters is a parameter which is internally set to 10 (with hex notation of those 10 characters, output takes 20 chars to represent) - it can be anything up to 4,096.

Input
 
Output

The JS call is... 

  Hash2(strn, len, flg);

  Where
    strn = the character string to hash (any length).
    len  = the length of the hash output character string (10-4096).
    flg  = output return format
           0 = 256-character format (not all characters will display)
           1 = hex notation of the characters (doubles display length).

The code above will create hash values for any hash you want. It is best to have longer coupon codes because that makes them harder to figure out. It is also a good idea to have muliple codes be different lengths. But the hash routine will effectively hide your coupon codes from any potential cheaters.

Because this is client-side, there is a single way a cheater can get at you - he can bypass some of the code and send you an invalid coupon code with a discount. You must be able to recognize either manually, or automatically with something like IPN, valid coupon codes and reject those that are invalid.

The first FORM just gives the discount with no questions. Your site would proclaim a 10% discount on all products for the next week. The pricing on the site remains the same, but a 10% discount is applied to all items ordered. The discount is set by changing the first line under the <script> tag. Setting it to zero turns the discount off. 

    var discnt = 0;   // no default percent discount

  The above setting requires a coupon entry to change.

    var discnt = 10;  // percent discount to offer customers

  This setting gives a blanket 10% discount to everything on this page.

FORM 1

SPECIAL - for the next week a 10% discount on all items! [picture] Blah, blah. $10.00 each

Input quantity >    

End of FORM 1

A little more difficult is to use a broadcast coupon method. A Broadcast Coupon is something like putting an ad in the paper that anyone may see. You give them a coupon code, and if they enter it into your site then you give them a discount. If you want to give specific people a coupon then you are going to have to do that server-side where you have the ability to remember the code for a specific individual. This is client-side where no such memory exists (people regularly delete their cookies [at least I do]).

In this example we ask for a code, and if one of the proper codes is given it is reported to you, and the discount associated with that code is applied. Perhaps you place ads in several papers, each with a different coupon code to see which paper is giving the best advertising results. For this simple example the code entered is placed into the "item_name" field so you can see it. In reality you might want to place it into the "custom" field so no one but you can see it.

If you look at the coupon code table in the JavaScript you will see something very ingeresting... In simpcoup.html it was 3 coupon codes of coup1, coup2 and coup3, but it is different now. The first code used to be coup1, but now it is 4cfc64bb94cc3ff4c548, which is the hashed version of coup1, and the only code that now works. In the hash example, above, enter coup1 and see that you get 4cfc64bb94cc3ff4c548 - so you can see that the coupon code table must now be filled with the hashed values of your codes. And the customer enters coup1 to get access, but the value "coup1" appears nowhere on your page.

The customer must make an entry, and the hashed value of his entry must match one of the hashed entries in your coupon table. Pretty simple once you get your mind around it. Print the source of this page and you can see how it works. Print out the Random Library Code to see what the randlib JavaScript is doing (where the source is for Hash2.)

FORM 2

Enter Coupon code [coup1] >    

[picture] Blah, blah. $20.00 each

Input quantity >    

End of FORM 2

Links

Basic hash function.
Cryptographic hash functions.
MD5 hash function.
SHA hash function.

Image: XHTML 1.1 certified! Image: CSS2 certified! Image: Multi-user accessibility!

Contact me concerning this article at paypalhelper@aol.com. Mention "hasher" in your note.

Individual help starting at $25.00 for simple JS solutions.