PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
I have also made a slight change to the my_script.php file because it I had a line of code in the wring place (doh).. so if you have time could you try to download it again and let me know what happens.
The first time i clicked the link, it loaded it with the text saying i couldnt view it, then i pushed back and clicked it again, and it asked to download it... this is what it contained:
Sod it. Oh well at least it sort of works, and it's a start in the right direction I guess.
Right, back to the drawing board
PS. On a similar note securing a javascript file IS 100% possible using Flash and document.createElement() but this only works on browsers which support document.createElement()... which is just IE5+ I think.
If anyone does find a PHP way of doing this drop me a note or email.
PS. On a similar note securing a javascript file IS 100% possible using Flash and document.createElement() but this only works on browsers which support document.createElement()... which is just IE5+ I think.
Depends on your definition of 'safe'. Anyone who has done network security will tell you, data transmitted over a wire will never be secure. You're sending the browser some javascript, whether encoded, encrypted or otherwise, so anyone with a packet sniffer on the same network theoretically can retreive the javascript in question. You may want to have a look at javascript.encode--client side encoded javascript, quite difficult to decrypt without the proper algorithms (though they are available).
quartis: that is exactly why i was trying to figure out how to encode things so it'd be sent in gibberish.
i've done network work before.
was also my first thought here. you can even use the sniffer to capture what's coming TO you if you're not on the network but can get a connection...(as i mentioned earlier)
qartis wrote:
Depends on your definition of 'safe'. Anyone who has done network security will tell you, data transmitted over a wire will never be secure. You're sending the browser some javascript, whether encoded, encrypted or otherwise, so anyone with a packet sniffer on the same network theoretically can retreive the javascript in question. You may want to have a look at javascript.encode--client side encoded javascript, quite difficult to decrypt without the proper algorithms (though they are available).
This is a good point, but my thought on this is simply if someone wants to go to that much trouble to access a javascript file (using a packet-sniffer) then they should be ashamed of themself and also should be taken to court. People secure stuff for a reason.
Personally if I found someone ripping off code that I had a: copyrighted and b: attemped to make secure then I wouldn't think twice about ripping off their thumbs.
actually... when i worked in net ops i found out that there's a quirk with sniffers... technically they are illegal to use unless you're part of net ops for the place you're sniffing on, and even then only when it's for security purposes.
without that it technically falls under invasion of privacy, so you have to be able to prove you're doing it for the sole purpose of security not to have that issue, so not only could you bring them to civil court and problaby win the case, you can actually press legal charges
*evil grin*
(just something i thought you might like to hear)
Right then ladies and gents I have made a slight change to the initial code I posted (the first entry in this topic).
I have now made the javascript file double-layered.. which means the first javascript file which gets included doesn't contain the code I'm trying to secure, what it does is include the javascript code into itself.
The same method is used (session var) but this might do the trick.
If you get time could you pop along to http://www.urbanchaos.net/Lockdown/ and see what happens when you try and save the entire page, or access the 'hopefully semi-secure' javascript file.
Ok, what about this. I emailed my server provider asking them if it was possible to CHMOD either the folder and/or files I'm trying to secure. This is the reply I got..
It is not possible using unix chmod. All data served by a webserver is public.
solution:
link to script.php instead of script.js -
in script.php check the HTTP_REFERRER or HTTP_HOST variable (see php.net for more) verify that it is called from the
right page or domain name (urbanchaos.net) then do an "include ./script-js-original.inc"
if everything is ok.
..
<?
$refer=$HTTP_HOST;
if ($refer=="www.urbanchaos.net") {
include ("./script-js-original.inc");
}
else
{
echo "DENIED!";
}
?>
if the visitors try to launch script.php outside your html pages it
will not work.
Has anyone tried something like this before and do you think it's a sound idea. I'm going to try and get it working and on-line in the next hour or so.