Hide javascript source using php

Re: Hide javascript source using php

On 3 Jun 2004 15:34:52 -0700, chromeclouds@ya hoo.co.uk (Mark) wrote:
[color=blue]
>I was thinking about using php to write the script file, something
>like:
>
><script type="text/javascript"
>src="http://insert_url_here .com/myScript.php"></script>
>
>The php file then echo'ing the source code. If that works then how can
>I stop the php file being loaded directly, that is the user browsing
>to http://insert_url_here.com/myScript.php and seeing the source. I
>only want it to write the source when it is called through the script.[/color]

If you're doing this in the name of security, surely this is pretty futile,
even if it could be done reliably. The browser will need to download the
Javascript to run it, therefore the source is available to the user.

--
Andy Hassall <andy@andyh.co. uk> / Space: disk usage analysis tool
http://www.andyh.co.uk / http://www.andyhsoftware.co.uk/space

Re: Hide javascript source using php

Regarding this well-known quote, often attributed to Mark's famous "3 Jun
2004 15:34:52 -0700" speech:
[color=blue]
> Sorry, I'm a newbie to php ;)
>
> I was thinking about using php to write the script file, something
> like:
>
> <script type="text/javascript"
> src="http://insert_url_here .com/myScript.php"></script>
>
> The php file then echo'ing the source code. If that works then how can
> I stop the php file being loaded directly, that is the user browsing
> to http://insert_url_here.com/myScript.php and seeing the source. I
> only want it to write the source when it is called through the script.
>
> Any help is much appreciated...[/color]

The only way I can think of to do this is a clunky and over-the-top, but it
should work for most uses: Using a one-time key.

1. Make sure nothing caches. Add every "Never Cache Me!" header you can
think of to the JS/PHP file and the calling file.

2. Whenever the calling file is run, it generates a random key, and writes
it to a file or database. Say it's "asdboibo29h9q" .

3. The javascript is called like <script type="text/javascript"
src="scriptme.p hp?key=asdboibo 29h9q">

4. The PHP in scriptme.php checks to see if that key exists. If it does, it
is deleted. If not, the "Keep off my script" message is all they get.


This has a few problems:

It can be subverted by someone turning off JavaScript, then typing the URL
from the script tag in their browser. Since the script was never
downloaded, the key is not expired. They get the script. Also, someone
manually retrieving files from the server, or using a non-browser utility
could get the script. It's foolproof, but quite a few people past the
"fool" stage could still get at it.

Also, if the calling page gets cached, the script will fail to load, since
the same key will be used twice. You could make the "alternate" JavaScript
code deal with this somehow, I suppose, by gracefully failing, or trying to
reload a new key.

--
-- Rudy Fleminger
-- sp@mmers.and.ev il.ones.will.bo w-down-to.us
(put "Hey!" in the Subject line for priority processing!)
-- http://www.pixelsaredead.com

Re: Hide javascript source using php

chromeclouds@ya hoo.co.uk (Mark) wrote in message news:<6c9897c2. 0406031434.9d86 b79@posting.goo gle.com>...[color=blue]
> Sorry, I'm a newbie to php ;)
>
> I was thinking about using php to write the script file, something
> like:
>
> <script type="text/javascript"
> src="http://insert_url_here .com/myScript.php"></script>
>
> The php file then echo'ing the source code. If that works then how can
> I stop the php file being loaded directly, that is the user browsing
> to http://insert_url_here.com/myScript.php and seeing the source. I
> only want it to write the source when it is called through the script.[/color]

As phpSt.Andy said, there is no bullet-proof solution to hide JS as
it is client-side and the code is required to run.

Anyway, it seems you're looking for the solution just like
"hotlinking ". Just do a Google search on "hotlinking ", you'll find
number of solutions usually for the images--which can be taken for JS
too. Similar one is here
<http://www.htmlcenter. com/tutorials/tutorials.cfm/159/PHP/>

In simpler terms the logic is:
1. Set a session variable aka flag in a main script
2. Check the presence of the flag in a on the fly JS creating PHP code
3. Add no-cache headers in on the fly JS creating PHP code--so that
the code is not get stored in temp folders.

--
| Just another PHP saint |
Email: rrjanbiah-at-Y!com

Re: Hide javascript source using php

Thank you for the responses.

It is not so much that I want to hide the source, but rather I want to
track where it is being used. So thats why I thought of PHP, when the
file is requested it can log that info. Hiding the source was just
something else which I though would be useful, otherwise people could
just copy the code and upload it elsewhere without me being able to
track the script's use.

P.S. I have also found this here:

Re: Hide javascript source using php

In article <6c9897c2.04060 40235.771a5eb7@ posting.google. com>, Mark wrote:[color=blue]
> Thank you for the responses.
>
> It is not so much that I want to hide the source, but rather I want to
> track where it is being used. So thats why I thought of PHP, when the
> file is requested it can log that info. Hiding the source was just
> something else which I though would be useful, otherwise people could
> just copy the code and upload it elsewhere without me being able to
> track the script's use.[/color]

As soon someone saves the output of your script (thus the actual
JavaScript code, it will be hard to track it down, if not impossible,
where it's used next).

--
Tim Van Wassenhove <http://home.mysth.be/~timvw/contact.php>

Re: Hide javascript source using php

Mark wrote:[color=blue]
>
> otherwise people could just copy the code and upload it
> elsewhere without me being able to track the script's use.[/color]

They can, you can't track or control it, and attempting to do so is a
waste of your time. However, *learning* that this is a waste of your
time is not a waste of your time, so go right ahead. Eventually you'll
realize that you are tilting at windmills, and you'll be wiser for the
experience.

bblackmoor
2004-06-04

Re: Hide javascript source using php

chromeclouds@ya hoo.co.uk (Mark) wrote in message news:<6c9897c2. 0406040235.771a 5eb7@posting.go ogle.com>...[color=blue]
> Thank you for the responses.
>
> It is not so much that I want to hide the source, but rather I want to
> track where it is being used. So thats why I thought of PHP, when the
> file is requested it can log that info. Hiding the source was just
> something else which I though would be useful, otherwise people could
> just copy the code and upload it elsewhere without me being able to
> track the script's use.
>
> P.S. I have also found this here:
> http://groups.google.com/groups?selm....earthlink.net[/color]

I guess, few possibilities to hack this system:

1. A PHP code using cURL functions
2. A sniffer
3. Browser masquerade techniques

--
| Just another PHP saint |
Email: rrjanbiah-at-Y!com

Re: Hide javascript source using php

"R. Rajesh Jeba Anbiah" <ng4rrjanbiah@r ediffmail.com> wrote in message
news:abc4d8b8.0 406042340.40257 cd6@posting.goo gle.com...[color=blue]
> chromeclouds@ya hoo.co.uk (Mark) wrote in message[/color]
news:<6c9897c2. 0406040235.771a 5eb7@posting.go ogle.com>...[color=blue][color=green]
> > Thank you for the responses.
> >
> > It is not so much that I want to hide the source, but rather I want to
> > track where it is being used. So thats why I thought of PHP, when the
> > file is requested it can log that info. Hiding the source was just
> > something else which I though would be useful, otherwise people could
> > just copy the code and upload it elsewhere without me being able to
> > track the script's use.
> >
> > P.S. I have also found this here:
> >[/color][/color]
http://groups.google.com/groups?selm....earthlink.net[color=blue]
>
> I guess, few possibilities to hack this system:
>
> 1. A PHP code using cURL functions
> 2. A sniffer
> 3. Browser masquerade techniques[/color]

The browser is always ready to caugh up the HTML content/Javascript code, so
any protection scheme is bound to fail.

To get the source to all functions (Netscape only):

javascript:f=[];for(name in
window){obj=win dow[name];if(typeof(obj) =='function'){f .push(obj);}}j= documen
t.createElement ('TEXTAREA');j. value=f.join('\ n');document.bo dy.appendChild( j
);void(0)

To get the content:

javascript:a=do cument.createEl ement('TEXTAREA ');document.bod y.appendChild(a )
;a.value=docume nt.getElementsB yTagName('HTML' )[0].outerHTML;void (0);

Re: Hide javascript source using php

"Chung Leong" <chernyshevsky@ hotmail.com> wrote in message news:<TPOdnaGbh KqTzljdRVn-vw@comcast.com> ...[color=blue]
> "R. Rajesh Jeba Anbiah" <ng4rrjanbiah@r ediffmail.com> wrote in message
> news:abc4d8b8.0 406042340.40257 cd6@posting.goo gle.com...[color=green]
> > chromeclouds@ya hoo.co.uk (Mark) wrote in message[/color]
> news:<6c9897c2. 0406040235.771a 5eb7@posting.go ogle.com>...[/color]
[...][color=blue][color=green][color=darkred]
> > > P.S. I have also found this here:
> > >[/color][/color]
> http://groups.google.com/groups?selm....earthlink.net[color=green]
> >
> > I guess, few possibilities to hack this system:
> >
> > 1. A PHP code using cURL functions
> > 2. A sniffer
> > 3. Browser masquerade techniques[/color]
>
> The browser is always ready to caugh up the HTML content/Javascript code, so
> any protection scheme is bound to fail.
>
> To get the source to all functions (Netscape only):
>
> javascript:f=[];for(name in
> window){obj=win dow[name];if(typeof(obj) =='function'){f .push(obj);}}j= documen
> t.createElement ('TEXTAREA');j. value=f.join('\ n');document.bo dy.appendChild( j
> );void(0)
>
> To get the content:
>
> javascript:a=do cument.createEl ement('TEXTAREA ');document.bod y.appendChild(a )
> ;a.value=docume nt.getElementsB yTagName('HTML' )[0].outerHTML;void (0);[/color]

Sounds like you're talking about "View Rendered Source"
<http://billfriedrich.t ripod.com/index.html?Web>

--
| Just another PHP saint |
Email: rrjanbiah-at-Y!com

Re: Hide javascript source using php

Your php script will simply output a web page, in this case the Javascript
code.

If your goal is to hide the Javascript code, PHP is of no help there.

Imagine the output from PHP as a static file (whether it contains HTML or
Javascript or just plain text).

If you cannot somehow hide such imaginary file from being viewed directly,
you cannot do it with PHP either.

That said, outside PHP there are various means to hide HTML-source and with
a little messing with them you could also hide the link to the PHP script
that outputs the Javascript code. But as far as I know, none of those "hide
source" things work 100%. Somehow, someone will always be able to view the
source.

In conclusion, this is not a PHP issue.

-Jani


"Mark" <chromeclouds@y ahoo.co.uk> wrote in message
news:6c9897c2.0 406031434.9d86b 79@posting.goog le.com...[color=blue]
> Sorry, I'm a newbie to php ;)
>
> I was thinking about using php to write the script file, something
> like:
>
> <script type="text/javascript"
> src="http://insert_url_here .com/myScript.php"></script>
>
> The php file then echo'ing the source code. If that works then how can
> I stop the php file being loaded directly, that is the user browsing
> to http://insert_url_here.com/myScript.php and seeing the source. I
> only want it to write the source when it is called through the script.
>
> Any help is much appreciated...[/color]