Hello, please forgive me for posting such a basic question. I have a website up already, that is not PHP. I don't know enough about PHP to re-do the whole thing in PHP, but I would like to protect the source code better than the disabled right click method. As I understand it, if the pages were in PHP surfers wouldn't be able to use the view source in the toolbar either. So what I'm wondering is this, if I had a very basic PHP page that did nothing but put the real site in a borderless 100% x 100% frame, would that then keep people from viewing the source code (provided they were unable to guess the address of the pages done in html/css/javascript)?
-
-
Hi.
People will always be able to read the HTML markup and any other client-side code you send (like JavaScript and CSS). There is no real way to protect against that.
PHP on the other hand is executed on the server and is never sent to the client's browser. That in itself protects your PHP code from being viewed by the client, but the output of the PHP code (usually HTML, CSS and JavaScript) will be visible to your clients. -
So then basically doing what I suggested wouldn't have any desirable effect?Comment
-
If I am understanding you correctly, that you are trying to hide the HTML markup and the client-side scripts from being viewed, then no, it would not have the effect you wanted.Originally posted by Z1P2
The simple reality is that the HTML and client-side scripts need to be visible to the client so that it can be read and displayed by the browsers.
Is there any particular reason why you don't want your client-side scripts to be seen?Comment
-
You can't stop people viewing your code but you can disable right-click and other buttons that they could use to view your source code. so if you have a site made of frames. They can't see the individual frame sources only the frameset source, which isn't very useful to them.
That would be done in Javascript, so ask in the JavaScript forum.
Oh.. Apparently I didn't read your post very well. ;) sorry.Comment
-
I just don't want people copying the site. A couple years ago I put up a site with some new features that wern't on any other similar sites, but within a month, everyone else had copied those features so their sites would "steal" the web traffic of people interrested in sites with those features.Originally posted by Atli
I am once again adding some new features that arn't on those other sites, and I would like to make it at least a little more difficult for those other webmasters to copy my work. granted, I've got a copyright, but that's only as good as my willingness to sue. If they want those features, let them do the work I had to do.Comment
-
I see. It is, unfortunately, impossible to hide the client-side code from people. Especially if they are determined to get it.
If a lot of your features are written in JavaScript or other client-side scripts, you could try re-writing some of it in PHP, making it very hard to steal. It would probably be enough to just re-write portions of it, making the JavaScript code unusable by itself.Last edited by Atli; Oct 30 '07, 06:05 PM. Reason: Accidentally said server-side instead of client-side in the first senteceComment
-
People cannot view PHP code or other server side languages when they view your source. Neither will they be able to view javascript or CSS if they are in external documents!
You can make a php script to echo the HTML code for example:
[code=php]
<?php
echo "<html>";
echo "<head>";
echo "<title>tes t</title>";
echo "</head>";
echo "<body>";
echo "My site code here =D";
echo "</body>";
echo "</html>";
?>
[/code]
etc..
or the same with Javascript and 'document.write '. This will effectively hide your code!!
(please correct me if I'm wrong) - that should work!
SamComment
-
Hi Sam.
Unfortunately you are not entirely correct there.
You are correct in saying that the server-side code, PHP and such, can not be viewed, but the client-side, HTML, CSS, JavaScript, can be viewed, even if they are external.
External documents (CSS, Javascript) exist on the server and must be available to the client in order to be read and used. Which means that a client can simply view the HTML markup, find the link to the external files and view them as they would any other page.
The code you posted will print the contents of the echo statements to the HTTP Response as the page's HTML markup. So it can be viewed just as a you had requested a normal HTML page containing the same markup.Comment
-
I had similar concerns as the original poster. Here is a partial solution:
Create sourcefile.htm and targetfile.htm. Be sure to addto your .htaccess so PHP can be parsed inside htm files.Code:AddHandler application/x-httpd-php .htm .html
Create this function inside a separate PHP file. For ease of explanation we will call our file myfunctions.php . Here is the function:
Create a FRAME or IFRAME in sourcefile.htm that targets targetfile.htm.Code:<?php //set global server variables $GLOBALS['HTTP_SERVER_VARS']; //extracts server variables extract($GLOBALS['HTTP_SERVER_VARS']); //referrer page $referrer = $HTTP_REFERER; //host name $host = $HTTP_HOST; //*****************restricted access function function nosee(){ global $referrer , $host; $pos = strpos($referrer ,$host); if($pos === false) { echo '<h1>OOOPS! This page is restricted. Please <a href="http://' .$host.'">click here</a> to return to the homepage.</h1>'; exit(); } } ?>
At the very top of targetfile.htm place this PHP code:
Follow this PHP code with any mark up for targetfile.htm.Code:<?php include ('myfunctions.php'); nosee(); ?>
What this function nosee() does is use the PHP function strpos() to check if the referring page server variable contains the site's domain name. This condition will only be true if another page on the site "calls" the page like is the case in using a FRAME or IFRAME. Hence, the content of targetfile.htm will appear in the FRAME or IFRAME of sourcefile.htm.
If someone tried to access targetfile.htm directly then the referrer page variable will not be set. Nextm, $pos variable will evaluate to false. Lastly, the If conditional of the nosee() function will evaluate to true (i.e. $pos equals exactly false) immediately printingI hope this helps. But be warned. I am not a pro and only dabble with web design and PHP scripting. So I don't know what I don't know. For all I know this method I outlined could have been defeated a long time ago. Second I can not get it to work on external CSS files. Also, using this method may cause usability and search engine problems. So use at your own risk.Code:<h1>OOOPS! This page is restricted. Please <a href="http://' .$host.'">click here</a> to return to the homepage.</h1>
Comment
-
This would exclude all visitors coming directly from, for example, Google. Or any link outside of your site. This is, in general, not what anybody would ever want to use on their site. Ever.If someone tried to access targetfile.htm directly then the referrer page variable will not be set.
As a matter of fact spiders wouldn't necessarily set the referrer to be anything on your site so it'd look to spiders like your whole site contains nothing but the error page text.
The referrer string is sent by the user agent at their discretion. It can say whatever they want it to say. It can't be relied on completely, though it may be accurate in most cases.
As to the OP's problem, I'd say you just have to move faster than the competition. Competitors who want your client-side code will get it easily and disabling right-click for the 99.99% of visitors who aren't copying your site will tick them off. The only consolation I can offer is that you probably learned a thing or two from viewing other site's source as well.Comment
-
You implemented "new features" on a web site a couple years ago and you don't know the basics of JavaScript and PHP? Forgive me if that raises my eyebrows.Originally posted by Z1P2
Listen, if you ever implement a "feature" on a web page that's worth stealing, there is absolutely NOTHING you can do to prevent others from stealing it. The reason is that the browsers need to be able to get the code and read it - JUST LIKE HUMANS.
Yes, you can make this more difficult by hiding your coolness in JavaScript and obfuscating it (like Google does), but this won't prevent anyone dedicated enough from hacking your site within a week.Comment
-
You could make it really annoying to read, like put it all on one line or something. That way if they steal it you get the gratification of knowing they went through a big hassle, if nothing else.Comment
-
So is our best protection to make everything so much of a hasle that the hacker will find an easier target?
I can acomplish what I want as far as security goes without distributing code, however It cost me money handling post backs just to run scripts that could be handled on the client side.Comment
-
what a long thread
its very simple as the last and first guys said
if the browser can "read" it so can we!
makeing the code congested (try to view google js page its art) and with complicated vars i belive is the best way, at least if someone "steal" it u know he spend a few hours to understand what you did in days of work
se la viComment
Comment