homepage Welcome to WebmasterWorld Guest from 50.19.169.37
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
hiding PHP
rhodopsin




msg:1294092
 1:00 pm on Nov 11, 2004 (gmt 0)

Am I right to assume that PHP code is safe from visitors being able to see it if they go searching? Unlike Javascript.

Are there any extra measures I should go to to hide my PHP code?

 

mincklerstraat




msg:1294093
 1:23 pm on Nov 11, 2004 (gmt 0)

Yes, I put any php files that I *really, really* don't want out in the open under the webroot - you can also see the thread on preventing php output [webmasterworld.com].

[edited by: coopster at 8:59 pm (utc) on Nov. 11, 2004]
[edit reason] fixed link [/edit]

coopster




msg:1294094
 2:14 pm on Nov 11, 2004 (gmt 0)

You may also want to review the Security [php.net] pages of the manual.

rhodopsin




msg:1294095
 7:49 pm on Nov 11, 2004 (gmt 0)

RE "thread on preventing php output"

I follow the link and I just get to the main webmasterwolrd page. Would be really grateful if you could repost the link - i think something has gone astray. Thanks mate.

P>s also did webmasterworld search for "preventing php output" and couldn't pull anything out

coopster




msg:1294096
 9:13 pm on Nov 11, 2004 (gmt 0)

Link fixed ;)

rhodopsin




msg:1294097
 9:58 pm on Nov 11, 2004 (gmt 0)

Was hoping that I could hide some javascript in PHP. This javascript (in PHP) gets the time zone of the visitor and displays it to them.

<?php
echo '<SCRIPT Language="JavaScript">
var curDateTime = new Date()
document.write("GMT Offset for your time zone is ")
document.write(-(curDateTime.getTimezoneOffset()/60))
</SCRIPT>';
?>

The problem with the above is that if the visitor saves the web page and looks at the source code - can see my javascript. But I know that the visitor cannot get his hands on PHP code - so try to integrate the javascript into PHP more by putting the javascript in a PHP variable. However, does not work.

<?php
$rup = '<SCRIPT Language="JavaScript">
var curDateTime = new Date()
document.write("GMT Offset for your time zone is ")
document.write(-(curDateTime.getTimezoneOffset()/60))
</SCRIPT>';
echo '$rup';
?>

Can anyone follow on from this such that I can hide my javascript? How can I integrate the javascript with the PHP to confer the javascript hidden - as it is so intertwinned with the PHP - that the visitor cannot see any kind of functional source code.

Am I on the start of a promising track? Or is this a dead end? Once again, many thanks.

httpwebwitch




msg:1294098
 10:04 pm on Nov 11, 2004 (gmt 0)

Why would you need to hide the javascript? Displaying the time zone isn't the sort of thing that makes hackers salivate...

Stop trying. Eventually we all have to accept that server-side programming is hidden, client-side programming is public.

If you are concerned about someone "stealing" your javascript, obfuscate it.

rhodopsin




msg:1294099
 11:14 pm on Nov 11, 2004 (gmt 0)

I know it may seem quite a stupid thing to do - but it would be really, really fantastic for me if I can hide this javascript

"all have to accept that server-side programming is hidden, client-side programming is public."

I realise what i want to do does run counter to conventional wisdom. And it the odds are heavily stacked towards it being impossible. But it would be really good for me if there was a way. It would probably be interesting, from an academic viewpoint, to a few other people. Although I doubt many people have much practical purpose for this.

I dont mean to push this too far and upset people on the board. If nothing comes up soon I will stop pressing this as I can imagine that repeated fantastical posts can be annoying. I am a bit of a dreamer - but this really would be very interesting and useful to me if there is a way. Many thanks for your patience.

rhodopsin




msg:1294100
 11:45 pm on Nov 11, 2004 (gmt 0)

Pretty definative answer from a friend:

"Yup, this is a dead end.
However you integrate your javascript, the PHP will have been parsed by the time it reaches the client, leaving just your
javascript as the output, which has to be delivered to the client to function."

The dream is dead. Thanks for all your help guys.

mincklerstraat




msg:1294101
 8:46 am on Nov 12, 2004 (gmt 0)

You're friend's right. There's something of an answer to your question in your 'PHP and Time' thread ;) . Coopster, thanks for making that link work, sorry for the inconvenience!

httpwebwitch




msg:1294102
 9:50 pm on Nov 12, 2004 (gmt 0)

hiding javascript... some suggestions for the dreamer
:)

- linking. put your javascript in an external *.js file, and link it to your document with the <script> tag. It's not going to deter anyone who knows enough to download the file, but it won't appear in your page source, so it's a step in the right direction

- crippling. You can grab the location and use that as a crippling measure in your script. If the domain is "mydomain.com", do something. if not, alert a nasty invective. That method is popular with Flash Actionscripters who don't want to share their SWFs.

- obfuscation. There are applications available that will take a nice readable javascript and turn it into a working mess of unreadable garbage. They usually work by removing all the whitespace and replacing variable and function names with awkward ASCII codes. Combined with crippling, obfuscation can make your script useless to everyone but you.

If all you are doing is displaying some client settings like time zone or browser type, (i.e. you don't need interactive on-the-page events) there is a trick you can use. It takes client info and passes it to the server, essentially loading the page twice.

1) look in POST to see if $POST['myvar'] is set
2) if it's not, then
a) write a <form> with <input type='hidden' name='myvar' value='hello'>
b) <body onLoad="myform.submit()">
3) if myvar is there, then use it.

Good luck!
httpwebwitch

rhodopsin




msg:1294103
 4:16 pm on Nov 13, 2004 (gmt 0)

Thanks ever so much web witch for being so patient.

One thing that I shoudl mention is that it is not my code per se that i wish to protect - it is just that i do not want persons to know that i am redirecting on the basis of time zone if they ever take the time to look. So, in this way I can provide different content to different time zones - without anyone knowing.

Why do I not get the time, and then send it back to a php script like you kindly suggested in your last post?

That is an excellent idea. It definitely reduces the amount of code on the client side. But - they could still guess that I am using time zone as they can see that the time zone javascript variable is being sent to my server. Is there anyway that i can implement the javascript with perhaps altered variable names - so that they would not know that it is time information that I am plucking from their computer?

For instance - here is some javascript that returns the time zone of the visitor. I could adapt this to send time zone variables back to my server - but in such code they would see getTimezoneOffset - would guess that I had some code server side that was perhaps redirecting on the basis of time zone. Is there anyway that I can change javascript variables to different names? So, that they cannot guess what I am sending server side?

<SCRIPT Language="JavaScript">
var curDateTime = new Date()
document.write("GMT Offset for your time zone is ")
document.write(-(curDateTime.getTimezoneOffset()/60))
</SCRIPT>

Once again - many thanks for all your help. I really hope that you dont find this thread tiresome. You really are being a great help to me. I really am very grateful.

Am going to post on a few other points in a second - but will put them in a seperate post for clarity.

rhodopsin




msg:1294104
 4:23 pm on Nov 13, 2004 (gmt 0)

"- crippling. You can grab the location and use that as a crippling measure in your script. If the domain is "mydomain.com", do something. if not, alert a nasty invective. That method is popular with Flash Actionscripters who don't want to share their SWFs. "

This seems very interesting and very different from any other solution that I have read about. I would be very grateful if you could elaborate. Or perhaps point me to a resource where it discusses this measure in more detail. Especially if it has some codinng pointers for it. MAny thanks mate.

httpwebwitch




msg:1294105
 9:07 pm on Nov 19, 2004 (gmt 0)

this is a subject more appropriate for the javascript forum, but here goes:
crippling is done thusly:

<script>
var loc=location.toString();
if (loc.indexOf("domain")!=-1){
alert("do something")
}
</script>

the variable "loc" is set to the page's URL.

the second line looks at that and finds the string "domain" (which you would replace with your domain name, like "mysite.com"

anything inside that "if" block will only execute if your domain name is found in the URL.

combine this with obfuscation, and you have a pretty nifty client-side script protection.

you could even encrypt your domain name with some sort of 2-way cipher if you're so inclined.

good luck!

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved