By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
429,564 Members | 810 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 429,564 IT Pros & Developers. It's quick & easy.

Hide javascript source using php

P: n/a
Sorry, I'm a newbie to php ;)

I was thinking about using php to write the script file, something
like:

<script type="text/javascript"
src="http://insert_url_here.com/myScript.php"></script>

The php file then echo'ing the source code. If that works then how can
I stop the php file being loaded directly, that is the user browsing
to http://insert_url_here.com/myScript.php and seeing the source. I
only want it to write the source when it is called through the script.

Any help is much appreciated...
Jul 17 '05 #1
Share this Question
Share on Google+
10 Replies


P: n/a
On 3 Jun 2004 15:34:52 -0700, ch**********@yahoo.co.uk (Mark) wrote:
I was thinking about using php to write the script file, something
like:

<script type="text/javascript"
src="http://insert_url_here.com/myScript.php"></script>

The php file then echo'ing the source code. If that works then how can
I stop the php file being loaded directly, that is the user browsing
to http://insert_url_here.com/myScript.php and seeing the source. I
only want it to write the source when it is called through the script.


If you're doing this in the name of security, surely this is pretty futile,
even if it could be done reliably. The browser will need to download the
Javascript to run it, therefore the source is available to the user.

--
Andy Hassall <an**@andyh.co.uk> / Space: disk usage analysis tool
http://www.andyh.co.uk / http://www.andyhsoftware.co.uk/space
Jul 17 '05 #2

P: n/a
Regarding this well-known quote, often attributed to Mark's famous "3 Jun
2004 15:34:52 -0700" speech:
Sorry, I'm a newbie to php ;)

I was thinking about using php to write the script file, something
like:

<script type="text/javascript"
src="http://insert_url_here.com/myScript.php"></script>

The php file then echo'ing the source code. If that works then how can
I stop the php file being loaded directly, that is the user browsing
to http://insert_url_here.com/myScript.php and seeing the source. I
only want it to write the source when it is called through the script.

Any help is much appreciated...


The only way I can think of to do this is a clunky and over-the-top, but it
should work for most uses: Using a one-time key.

1. Make sure nothing caches. Add every "Never Cache Me!" header you can
think of to the JS/PHP file and the calling file.

2. Whenever the calling file is run, it generates a random key, and writes
it to a file or database. Say it's "asdboibo29h9q".

3. The javascript is called like <script type="text/javascript"
src="scriptme.php?key=asdboibo29h9q">

4. The PHP in scriptme.php checks to see if that key exists. If it does, it
is deleted. If not, the "Keep off my script" message is all they get.
This has a few problems:

It can be subverted by someone turning off JavaScript, then typing the URL
from the script tag in their browser. Since the script was never
downloaded, the key is not expired. They get the script. Also, someone
manually retrieving files from the server, or using a non-browser utility
could get the script. It's foolproof, but quite a few people past the
"fool" stage could still get at it.

Also, if the calling page gets cached, the script will fail to load, since
the same key will be used twice. You could make the "alternate" JavaScript
code deal with this somehow, I suppose, by gracefully failing, or trying to
reload a new key.

--
-- Rudy Fleminger
-- sp@mmers.and.evil.ones.will.bow-down-to.us
(put "Hey!" in the Subject line for priority processing!)
-- http://www.pixelsaredead.com
Jul 17 '05 #3

P: n/a
ch**********@yahoo.co.uk (Mark) wrote in message news:<6c*************************@posting.google.c om>...
Sorry, I'm a newbie to php ;)

I was thinking about using php to write the script file, something
like:

<script type="text/javascript"
src="http://insert_url_here.com/myScript.php"></script>

The php file then echo'ing the source code. If that works then how can
I stop the php file being loaded directly, that is the user browsing
to http://insert_url_here.com/myScript.php and seeing the source. I
only want it to write the source when it is called through the script.


As phpSt.Andy said, there is no bullet-proof solution to hide JS as
it is client-side and the code is required to run.

Anyway, it seems you're looking for the solution just like
"hotlinking". Just do a Google search on "hotlinking", you'll find
number of solutions usually for the images--which can be taken for JS
too. Similar one is here
<http://www.htmlcenter.com/tutorials/tutorials.cfm/159/PHP/>

In simpler terms the logic is:
1. Set a session variable aka flag in a main script
2. Check the presence of the flag in a on the fly JS creating PHP code
3. Add no-cache headers in on the fly JS creating PHP code--so that
the code is not get stored in temp folders.

--
| Just another PHP saint |
Email: rrjanbiah-at-Y!com
Jul 17 '05 #4

P: n/a
Thank you for the responses.

It is not so much that I want to hide the source, but rather I want to
track where it is being used. So thats why I thought of PHP, when the
file is requested it can log that info. Hiding the source was just
something else which I though would be useful, otherwise people could
just copy the code and upload it elsewhere without me being able to
track the script's use.

P.S. I have also found this here:
http://groups.google.com/groups?selm....earthlink.net
Jul 17 '05 #5

P: n/a
In article <6c**************************@posting.google.com >, Mark wrote:
Thank you for the responses.

It is not so much that I want to hide the source, but rather I want to
track where it is being used. So thats why I thought of PHP, when the
file is requested it can log that info. Hiding the source was just
something else which I though would be useful, otherwise people could
just copy the code and upload it elsewhere without me being able to
track the script's use.


As soon someone saves the output of your script (thus the actual
JavaScript code, it will be hard to track it down, if not impossible,
where it's used next).

--
Tim Van Wassenhove <http://home.mysth.be/~timvw/contact.php>
Jul 17 '05 #6

P: n/a
Mark wrote:

otherwise people could just copy the code and upload it
elsewhere without me being able to track the script's use.


They can, you can't track or control it, and attempting to do so is a
waste of your time. However, *learning* that this is a waste of your
time is not a waste of your time, so go right ahead. Eventually you'll
realize that you are tilting at windmills, and you'll be wiser for the
experience.

bblackmoor
2004-06-04
Jul 17 '05 #7

P: n/a
ch**********@yahoo.co.uk (Mark) wrote in message news:<6c**************************@posting.google. com>...
Thank you for the responses.

It is not so much that I want to hide the source, but rather I want to
track where it is being used. So thats why I thought of PHP, when the
file is requested it can log that info. Hiding the source was just
something else which I though would be useful, otherwise people could
just copy the code and upload it elsewhere without me being able to
track the script's use.

P.S. I have also found this here:
http://groups.google.com/groups?selm....earthlink.net


I guess, few possibilities to hack this system:

1. A PHP code using cURL functions
2. A sniffer
3. Browser masquerade techniques

--
| Just another PHP saint |
Email: rrjanbiah-at-Y!com
Jul 17 '05 #8

P: n/a
"R. Rajesh Jeba Anbiah" <ng**********@rediffmail.com> wrote in message
news:ab**************************@posting.google.c om...
ch**********@yahoo.co.uk (Mark) wrote in message news:<6c**************************@posting.google. com>...
Thank you for the responses.

It is not so much that I want to hide the source, but rather I want to
track where it is being used. So thats why I thought of PHP, when the
file is requested it can log that info. Hiding the source was just
something else which I though would be useful, otherwise people could
just copy the code and upload it elsewhere without me being able to
track the script's use.

P.S. I have also found this here:

http://groups.google.com/groups?selm....earthlink.net
I guess, few possibilities to hack this system:

1. A PHP code using cURL functions
2. A sniffer
3. Browser masquerade techniques


The browser is always ready to caugh up the HTML content/Javascript code, so
any protection scheme is bound to fail.

To get the source to all functions (Netscape only):

javascript:f=[];for(name in
window){obj=window[name];if(typeof(obj)=='function'){f.push(obj);}}j=docum en
t.createElement('TEXTAREA');j.value=f.join('\n');d ocument.body.appendChild(j
);void(0)

To get the content:

javascript:a=document.createElement('TEXTAREA');do cument.body.appendChild(a)
;a.value=document.getElementsByTagName('HTML')[0].outerHTML;void(0);
Jul 17 '05 #9

P: n/a
"Chung Leong" <ch***********@hotmail.com> wrote in message news:<TP********************@comcast.com>...
"R. Rajesh Jeba Anbiah" <ng**********@rediffmail.com> wrote in message
news:ab**************************@posting.google.c om...
ch**********@yahoo.co.uk (Mark) wrote in message

news:<6c**************************@posting.google. com>...

[...]
P.S. I have also found this here:

http://groups.google.com/groups?selm....earthlink.net

I guess, few possibilities to hack this system:

1. A PHP code using cURL functions
2. A sniffer
3. Browser masquerade techniques


The browser is always ready to caugh up the HTML content/Javascript code, so
any protection scheme is bound to fail.

To get the source to all functions (Netscape only):

javascript:f=[];for(name in
window){obj=window[name];if(typeof(obj)=='function'){f.push(obj);}}j=docum en
t.createElement('TEXTAREA');j.value=f.join('\n');d ocument.body.appendChild(j
);void(0)

To get the content:

javascript:a=document.createElement('TEXTAREA');do cument.body.appendChild(a)
;a.value=document.getElementsByTagName('HTML')[0].outerHTML;void(0);


Sounds like you're talking about "View Rendered Source"
<http://billfriedrich.tripod.com/index.html?Web>

--
| Just another PHP saint |
Email: rrjanbiah-at-Y!com
Jul 17 '05 #10

P: n/a
Your php script will simply output a web page, in this case the Javascript
code.

If your goal is to hide the Javascript code, PHP is of no help there.

Imagine the output from PHP as a static file (whether it contains HTML or
Javascript or just plain text).

If you cannot somehow hide such imaginary file from being viewed directly,
you cannot do it with PHP either.

That said, outside PHP there are various means to hide HTML-source and with
a little messing with them you could also hide the link to the PHP script
that outputs the Javascript code. But as far as I know, none of those "hide
source" things work 100%. Somehow, someone will always be able to view the
source.

In conclusion, this is not a PHP issue.

-Jani
"Mark" <ch**********@yahoo.co.uk> wrote in message
news:6c*************************@posting.google.co m...
Sorry, I'm a newbie to php ;)

I was thinking about using php to write the script file, something
like:

<script type="text/javascript"
src="http://insert_url_here.com/myScript.php"></script>

The php file then echo'ing the source code. If that works then how can
I stop the php file being loaded directly, that is the user browsing
to http://insert_url_here.com/myScript.php and seeing the source. I
only want it to write the source when it is called through the script.

Any help is much appreciated...

Jul 17 '05 #11

This discussion thread is closed

Replies have been disabled for this discussion.