By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
432,414 Members | 1,024 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 432,414 IT Pros & Developers. It's quick & easy.

Hide a string in javascript

P: n/a
I know everyone who uses javascript at some point tries to think of a
way to hide it from curious users/hackers, so here goes my question.

I am trying to display an image map and keep the coords of the active
areas hidden from users. I have a page named test.htm that includes a
file get.php in a <scripttag that will dynamically generate some
javascript to write the imagemap. The get.php file will write a unique
key to a session that will identify each request. The get.php file will
make an ajax call to a file named get2.php. The get2.php file will
check the unique key in the session to make sure the request is valid.
If the request is valid get2.php will return a string which will be
javascript that creates an array for the coords of the imagemap.
Something like:

var arr = new Array(10, 10, 20, 20);

After the ajax call is successful get.php will do an eval() on the
string returned from get2.php to set the coords of the active area of
the imagemap. The get2.php request would expire, so that a user could
not simply do a request for the file in his browser and see what is
returned. Also the coords will change with each request, so figuring
out how to see the data in get2.php will be irrelevant as it will
always change.

My concern is: Is there a way to pull out what has been written to the
browser in that eval() in get.php?

Dec 21 '06 #1
Share this Question
Share on Google+
7 Replies


P: n/a
tr********@gmail.com said the following on 12/20/2006 10:54 PM:
I know everyone who uses javascript at some point tries to think of a
way to hide it from curious users/hackers, so here goes my question.

I am trying to display an image map and keep the coords of the active
areas hidden from users. I have a page named test.htm that includes a
file get.php in a <scripttag that will dynamically generate some
javascript to write the imagemap. The get.php file will write a unique
key to a session that will identify each request. The get.php file will
make an ajax call to a file named get2.php. The get2.php file will
check the unique key in the session to make sure the request is valid.
If the request is valid get2.php will return a string which will be
javascript that creates an array for the coords of the imagemap.
Something like:

var arr = new Array(10, 10, 20, 20);

After the ajax call is successful get.php will do an eval() on the
string returned from get2.php to set the coords of the active area of
the imagemap. The get2.php request would expire, so that a user could
not simply do a request for the file in his browser and see what is
returned. Also the coords will change with each request, so figuring
out how to see the data in get2.php will be irrelevant as it will
always change.

My concern is: Is there a way to pull out what has been written to the
browser in that eval() in get.php?
You can get get2.php from the cache while the browser is open.
If the array name is known, you can javascript:alert(arr); (or similar)
in the task bar.

Why are the coordinates of the imageMap so critically secret?
--
Randy
Chance Favors The Prepared Mind
comp.lang.javascript FAQ - http://jibbering.com/faq/index.html
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/
Dec 21 '06 #2

P: n/a

tr********@gmail.com wrote:
I know everyone who uses javascript at some point tries to think of a
way to hide it from curious users/hackers, so here goes my question.

I am trying to display an image map and keep the coords of the active
areas hidden from users. ...
Try to use a server-side image map, then the coords never shows up on
the client.
... I have a page named test.htm that includes a
file get.php in a <scripttag that will dynamically generate some
javascript to write the imagemap. The get.php file will write a unique
key to a session that will identify each request. The get.php file will
make an ajax call to a file named get2.php. The get2.php file will
check the unique key in the session to make sure the request is valid.
If the request is valid get2.php will return a string which will be
javascript that creates an array for the coords of the imagemap.
Something like:

var arr = new Array(10, 10, 20, 20);

After the ajax call is successful get.php will do an eval() on the
string returned from get2.php to set the coords of the active area of
the imagemap. The get2.php request would expire, so that a user could
not simply do a request for the file in his browser and see what is
returned. Also the coords will change with each request, so figuring
out how to see the data in get2.php will be irrelevant as it will
always change.
It would certently hide it from curious users/hackers. I can't tink of
anybody that curious.
My concern is: Is there a way to pull out what has been written to the
browser in that eval() in get.php?
Yes. Everyting sent to the browser can be pulled out. The browser may
also have a DOM inspecor tool used for debugging, that allow you to
read the coords of the active areas directly from the in-memory
DOM-tree.

Dec 21 '06 #3

P: n/a
Randy,

I am trying to use this in a game app I am writing in ajax. The user
would not be able to do an alert in the taskbar as the arr would be out
of scope. The arr would be defiend in a function and would be out of
scope once the page loads.

How would I go about getting the get2.php from the cache? Would that be
considered a second request? The 1st request would be the actual
javascript making the ajax call and the 2nd request being made by the
cache?
Randy Webb wrote:
tr********@gmail.com said the following on 12/20/2006 10:54 PM:
I know everyone who uses javascript at some point tries to think of a
way to hide it from curious users/hackers, so here goes my question.

I am trying to display an image map and keep the coords of the active
areas hidden from users. I have a page named test.htm that includes a
file get.php in a <scripttag that will dynamically generate some
javascript to write the imagemap. The get.php file will write a unique
key to a session that will identify each request. The get.php file will
make an ajax call to a file named get2.php. The get2.php file will
check the unique key in the session to make sure the request is valid.
If the request is valid get2.php will return a string which will be
javascript that creates an array for the coords of the imagemap.
Something like:

var arr = new Array(10, 10, 20, 20);

After the ajax call is successful get.php will do an eval() on the
string returned from get2.php to set the coords of the active area of
the imagemap. The get2.php request would expire, so that a user could
not simply do a request for the file in his browser and see what is
returned. Also the coords will change with each request, so figuring
out how to see the data in get2.php will be irrelevant as it will
always change.

My concern is: Is there a way to pull out what has been written to the
browser in that eval() in get.php?

You can get get2.php from the cache while the browser is open.
If the array name is known, you can javascript:alert(arr); (or similar)
in the task bar.

Why are the coordinates of the imageMap so critically secret?
--
Randy
Chance Favors The Prepared Mind
comp.lang.javascript FAQ - http://jibbering.com/faq/index.html
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/
Dec 21 '06 #4

P: n/a

Trey Bason schrieb:
Randy,

I am trying to use this in a game app I am writing in ajax. The user
would not be able to do an alert in the taskbar as the arr would be out
of scope. The arr would be defiend in a function and would be out of
scope once the page loads.

How would I go about getting the get2.php from the cache? Would that be
considered a second request? The 1st request would be the actual
javascript making the ajax call and the 2nd request being made by the
cache?
Randy Webb wrote:
tr********@gmail.com said the following on 12/20/2006 10:54 PM:
I know everyone who uses javascript at some point tries to think of a
way to hide it from curious users/hackers, so here goes my question.
>
I am trying to display an image map and keep the coords of the active
areas hidden from users. I have a page named test.htm that includes a
file get.php in a <scripttag that will dynamically generate some
javascript to write the imagemap. The get.php file will write a unique
key to a session that will identify each request. The get.php file will
make an ajax call to a file named get2.php. The get2.php file will
check the unique key in the session to make sure the request is valid.
If the request is valid get2.php will return a string which will be
javascript that creates an array for the coords of the imagemap.
Something like:
>
var arr = new Array(10, 10, 20, 20);
>
After the ajax call is successful get.php will do an eval() on the
string returned from get2.php to set the coords of the active area of
the imagemap. The get2.php request would expire, so that a user could
not simply do a request for the file in his browser and see what is
returned. Also the coords will change with each request, so figuring
out how to see the data in get2.php will be irrelevant as it will
always change.
>
My concern is: Is there a way to pull out what has been written to the
browser in that eval() in get.php?
You can get get2.php from the cache while the browser is open.
If the array name is known, you can javascript:alert(arr); (or similar)
in the task bar.

Why are the coordinates of the imageMap so critically secret?
--
Randy
Chance Favors The Prepared Mind
comp.lang.javascript FAQ - http://jibbering.com/faq/index.html
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/
It's not possible - in the moment the browser loads the data you can
read it out, think of firebug users ;)

Dec 21 '06 #5

P: n/a
Trey Bason said the following on 12/21/2006 7:37 AM:
Randy,

I am trying to use this in a game app I am writing in ajax. The user
would not be able to do an alert in the taskbar as the arr would be out
of scope. The arr would be defiend in a function and would be out of
scope once the page loads.

How would I go about getting the get2.php from the cache? Would that be
considered a second request? The 1st request would be the actual
javascript making the ajax call and the 2nd request being made by the
cache?
Open the Temporary Internet Files folder, find the file, right click and
Edit it. And no, it doesn't get another copy from the server, it reads
it from the cache. And as long as the page is open, that file will
remain in the cache.

--
Randy
Chance Favors The Prepared Mind
comp.lang.javascript FAQ - http://jibbering.com/faq/index.html
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/
Dec 21 '06 #6

P: n/a
Randy,

I am using the following line of code to make sure the browser does not
cache the page.

header("Cache-Control: no-cache");

Wouldn't this prevent someone from being able to view the file in the
cache?
Randy Webb wrote:
Trey Bason said the following on 12/21/2006 7:37 AM:
Randy,

I am trying to use this in a game app I am writing in ajax. The user
would not be able to do an alert in the taskbar as the arr would be out
of scope. The arr would be defiend in a function and would be out of
scope once the page loads.

How would I go about getting the get2.php from the cache? Would that be
considered a second request? The 1st request would be the actual
javascript making the ajax call and the 2nd request being made by the
cache?

Open the Temporary Internet Files folder, find the file, right click and
Edit it. And no, it doesn't get another copy from the server, it reads
it from the cache. And as long as the page is open, that file will
remain in the cache.

--
Randy
Chance Favors The Prepared Mind
comp.lang.javascript FAQ - http://jibbering.com/faq/index.html
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/
Dec 21 '06 #7

P: n/a
Trey Bason said the following on 12/21/2006 4:15 PM:

Answer:It destroys the order of the conversation
Question: Why?
Answer: Top-Posting.
Question: Whats the most annoying thing on Usenet?
Randy,

I am using the following line of code to make sure the browser does not
cache the page.

header("Cache-Control: no-cache");

Wouldn't this prevent someone from being able to view the file in the
cache?
After the page is closed, sure. But, while the page is open the browser
*must* have that file locally (test it).

--
Randy
Chance Favors The Prepared Mind
comp.lang.javascript FAQ - http://jibbering.com/faq/index.html
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/
Dec 21 '06 #8

This discussion thread is closed

Replies have been disabled for this discussion.