Regarding this well-known quote, often attributed to Mark's famous "3 Jun
2004 15:34:52 -0700" speech:
Sorry, I'm a newbie to php ;)
I was thinking about using php to write the script file, something
like:
<script type="text/javascript"
src="http://insert_url_here.com/myScript.php"></script>
The php file then echo'ing the source code. If that works then how can
I stop the php file being loaded directly, that is the user browsing
to http://insert_url_here.com/myScript.php and seeing the source. I
only want it to write the source when it is called through the script.
Any help is much appreciated...
The only way I can think of to do this is a clunky and over-the-top, but it
should work for most uses: Using a one-time key.
1. Make sure nothing caches. Add every "Never Cache Me!" header you can
think of to the JS/PHP file and the calling file.
2. Whenever the calling file is run, it generates a random key, and writes
it to a file or database. Say it's "asdboibo29h9q".
3. The javascript is called like <script type="text/javascript"
src="scriptme.php?key=asdboibo29h9q">
4. The PHP in scriptme.php checks to see if that key exists. If it does, it
is deleted. If not, the "Keep off my script" message is all they get.
This has a few problems:
It can be subverted by someone turning off JavaScript, then typing the URL
from the script tag in their browser. Since the script was never
downloaded, the key is not expired. They get the script. Also, someone
manually retrieving files from the server, or using a non-browser utility
could get the script. It's foolproof, but quite a few people past the
"fool" stage could still get at it.
Also, if the calling page gets cached, the script will fail to load, since
the same key will be used twice. You could make the "alternate" JavaScript
code deal with this somehow, I suppose, by gracefully failing, or trying to
reload a new key.
--
-- Rudy Fleminger
--
sp@mmers.and.evil.ones.will.bow-down-to.us
(put "Hey!" in the Subject line for priority processing!)
--
http://www.pixelsaredead.com