Page 1 of 1
Using PHP to Hide Javascript Source
Posted: Fri Nov 21, 2003 9:06 am
by tastywheat
I want to use javascript on my site for navigation, but I don't want anyone to see the code. I could store my javascript in a .js file but they can still download it right? I know that I can put a php file as my source and it can generate the javascript code. Well, the problem is that they can still download this php file. What I'm getting at is, is there any kind of code I can add to a php file so it will produce a certain output only when downloaded?
Posted: Fri Nov 21, 2003 9:11 am
by JayBird
Nothing that PHP can do i think.
What i would do is, put the Javascript in a .js file, then remove ALL formatting so that it is all on one line, change variable names so they do make sense to anyone apart from you.
Or
You can get programs that will encrypt the Javascript so that it still works but is unreadable.
Mark
Posted: Fri Nov 21, 2003 6:19 pm
by maniac9
Even encryption will not work. The problem with JavaScript is that its source must be available so the browser can read it clearly and execute the code. Any kind of encryption would require the browser to decrypt the code in order to execute it, which to my knowledge, is not readily available. This, sadly, is one of the downfalls of JavaScript.
Posted: Fri Nov 21, 2003 6:53 pm
by m3mn0n
PHP sure can hide it if you don't want anyone to see it, if it's not being displayed of course.
But when you want to display and use the javascript file, then php needs to echo/print the source to the browser eventually so users will be able to freely view it just like html.
Posted: Fri Nov 21, 2003 10:26 pm
by DuFF
Well you could put it in a .js file and then either put the file outside the web root or just add a .htaccess to it. Would this work? I don't know much about javascript so I can't help you much there.
Posted: Fri Nov 21, 2003 10:49 pm
by m3mn0n
maniac9 wrote:Even encryption will not work. The problem with JavaScript is that its source must be available so the browser can read it clearly and execute the code. Any kind of encryption would require the browser to decrypt the code in order to execute it, which to my knowledge, is not readily available. This, sadly, is one of the downfalls of JavaScript.
I've actually seen some javascript that was encrypted, it worked fine too. It was supose to be this new script that no popup blocker could block the popup that it would launch. Maybe it was a java applet, but I don't know since I only read a breif description and It was encrypted of course.
This site is worth taking a look at, they claim to be able to encrypt HTML and JavaScript...
http://www.protware.com/default.htm
# Flexible encryption options:
* Encrypt html files, asp files, external script files(.js or .vbs), php and shtml files, framesets and style sheets (.css) files. You can also encrypt HTML-formatted email.
* Protect your images with Image Guardian - enhanced image protection.
* Encrypt only desired parts of html files.
* Two different methods of encryption
* - files encrypted with the default method work in all javascript-enabled browsers. You can also use the alternative, more fast and secure method for Internet Explorer 5.0 or higher only. Disable right mouse button.
* Disable showing link targets in status bar.
* Disable text selection.
* Prohibit offline use
* - your files will work fine when someone is browsing your site, but they will not work if they are saved and run from a local hard drive. Password protect your pages using either a basic or Ultra-Strong password protection.
* Prohibit linking your pages from other sites.
* Prohibit printing of protected files.
* Disable Clipboard & Print Screen ( for IE 5+ only ).
* Option only to compress HTML code(without encryption).
Posted: Sun Nov 23, 2003 1:37 am
by tastywheat
I tried that HTML Guardian thing before and it does a really good job of encrypting .js files. However, in my experience, it encrypts them so well that they don't work anymore. The html encryption works just fine, but the unregistered version adds a banner into the code. No, I won't buy the software either. I'd sooner resort to using flash for my website. I tried something using session variables but I kept getting errors. Or maybe I thought this could be done using the HTTP_REFERER value, but that all depends on the browser. I'm no expert with php, but isn't there some way you can tell if a file is being downloaded instead of just read? Or isn't there something I can do using .htaccess files? A friend of mine said that there's a way you can let files be read and not downloaded. We couldn't figure out how though.
Posted: Sun Nov 23, 2003 9:07 am
by maniac9
Well, the problem with all of this lies in the fact that JavaScript has to be freely available for the browser to see, which in turn means that the user can see it too.
Posted: Sun Nov 23, 2003 9:33 am
by blind487
you could always just make it REALLY REALLY hard, and use all of the above:
have a php file write the javascript code, and mask all the variables and put the code on one line so it is very very hard to read. then you can chmod the file so it can be executed but not viewed or downloaded. thats about the best you can get i think. also a nice little trick that i've seen is to add 'phantom code'. basically extra javascript commands that don't use time to execute, but just confuse those who are looking at it. i.e.
(this isn't javascript... but you'll get the idea)
Code: Select all
if ($useless)
if (!($useless2))
$useless2 = true;
if($useless)
$useless = false;
else
if (!(useless3))
$useless = true;
i'm not sure what that does... and i just wrote it. so you get the idea