PHP Var -> Javascript VAR

In there any mechanism to get a server side PHP variable, into a client
side Javascript variable - without the value of the variable being
visible in a view source ?


--
Spam:newsgroup(at)craznar.com@verisign-sux-klj.com
EMail:<0110001100101110011000100111010101110010011 010110
11001010100000001100011011100100110000101111010011 011100
11000010111001000101110011000110110111101101101001 00000>

127.0.0.1 wrote:[color=blue]
> In there any mechanism to get a server side PHP variable, into a client
> side Javascript variable - without the value of the variable being
> visible in a view source ?
>[/color]
Not easily. The usual way to pass variables like that is:
<script language="javascript">
var fred="<?php=$fred?>";
</script>
or
<input type="hidden" name="fred" value="<?php=$fred?>">
both of which are visible in the HTML source.

You could, however use an IFRAME which updates variables in the main
frame then redirects to obscure the contents. However a javascript
debugger will allow the contents of those vars to be seen.

It does beg the question as to why you need to pass obviously sensitive
information to the browser. I would try and keep such things in session
variables to avoid the round trip altogether.

Kevin Thorpe wrote:
[color=blue]
> You could, however use an IFRAME which updates variables in the main
> frame then redirects to obscure the contents. However a javascript
> debugger will allow the contents of those vars to be seen.[/color]

That isn't a problem, however IFRAMES are not very portable apparently
....
[color=blue]
>
> It does beg the question as to why you need to pass obviously
> sensitive information to the browser. I would try and keep such
> things in session variables to avoid the round trip altogether.[/color]

Not sensative, more 'internal'.


--
Spam:newsgroup(at)craznar.com@verisign-sux-klj.com
EMail:<0110001100101110011000100111010101110010011 010110
11001010100000001100011011100100110000101111010011 011100
11000010111001000101110011000110110111101101101001 00000>

Since JavaScript is client-side, there is no real way to hode anything
from the user. You can obfuscate it, hide it in other js files. It will
stop most people, but it won't be hidden as there will always be a way
for them to see it, the file is stored in cache and can be viewed with
any text editor.

127.0.0.1 wrote:[color=blue]
> In there any mechanism to get a server side PHP variable, into a client
> side Javascript variable - without the value of the variable being
> visible in a view source ?
>
>[/color]

On Monday 13 October 2003 04:38 am, 127.0.0.1 wrote:
[color=blue]
> Kevin Thorpe wrote:[color=green]
>>
>> It does beg the question as to why you need to pass obviously
>> sensitive information to the browser. I would try and keep such
>> things in session variables to avoid the round trip altogether.[/color]
>
> Not sensative, more 'internal'.[/color]

If the value isn't sensitive, then don't worry about it. The average user
isn't going to look at the javascript, and anyone (like us) who does
deserves what he gets when he plays around. :)

There are reasons to pass things down to the web page that need to be
protected. If that's the case here (and you don't need to change the value)
HMAC or similar is a good compromise. Send down the value and an HMAC of
the value with a secret you don't send. Then only accept the value back if
accompanied by a correct hash.
--
Don Faulkner, KB5WPM |
(This space | "All that is gold does not glitter."
unintentionally | "Not all those who wander are lost."
left blank) | -- J.R.R. Tolkien