hide javascript with PHP - reposted in Coding

freebie

I was wondering if it's possible to prevent javascript access and prevent javascript caching using PHP. My idea is to hide "proprietary" javascript (I know it's hard to make 100%) using PHP like such:
<script langauge='Javascript' src="myjavascript.php?">

and then maybe check the referer server variable to see if the referer was that web page, and only return the script if it is?

Has anyone ever done something like this?

Thanks for any thoughts.

PS - I reposted this in the coding forum. Please post any replies in that one. Thank you

Jeff

cruz610

Unfortunately the only way you could effectively hide the javascript is if you used some type of encoding program. PHP cannot actually HIDE the code because it still processes it and outputs it🙁 Your idea of checking the referrer would work though. Just do a simple if state which either includes the file or doesnt. Or you can htaccess the file if it is an external .js

Pig

Javascript is CLIENT SIDE, which means that it must be available to the client to do anything. There is absolutely nothign you can do to prevent js from being completely public. That is the nature of client side.

freebie

I realize that Javascript is Client-side, and in all essence can't be protected, but by using a <script scr="something.php"> in combination with setting cache settings to not cache the "inlcuded" script, then that should prevent someone from accessing the code. Someone could of course type the path to the script directly in the address bar, but, that's why I mentioned checking the referer. If they really wanted to get the script, obviously they could by using a packet sniffer, but this would prevent most people from knowing how to get it.
I haven't tried this yet, but I'll give it a shot later and see if I'm able to get it to work.

CW0LVES

this what you want? Hidden Source Code

LordShryku

Originally posted by CW0LVES
this what you want? Hidden Source Code

Very effective :rolleyes:

document.write('Try and get my source code...I DARE YOU!'); // Okay, fine...I concede...
function clickIE4(){	
   if (event.button==2){		
      return false;	
   }
}
function clickNS4(e){	
   if (document.layers||document.getElementById&&!document.all){		
      if (e.which==2||e.which==3){			
         return false;		
       }	
   }
}
if (document.layers){	
   document.captureEvents(Event.MOUSEDOWN);	
   document.onmousedown=clickNS4;
}else if (document.all&&!document.getElementById){	
   document.onmousedown=clickIE4;
}
document.oncontextmenu=new Function(";return false");
setInterval('window.clipboardData.setData(\'Text\', \'\');',100);

freebie

CWolves, that is one of the better solutions I've seen. Hard to get at without using a packet sniffer.

As, LordShryku has shown you can't get 100% because the user can always sniff the javascript, but I know I can't achieve 100% protection with javascript. That's just not realistic. I think a solution like yours or maybe like the one I mentioned (which I still haven't gotten around to - it's a side project) will keep it from many a web developer's eyes.

Used in combination with a javascript obfuscator could cause it to be to time consuming for many to bother (as well as throwing in some useless functions that never get called as a means of bloating the code a little)

Thanks for all the replies. If I'm able to come up with a re-usable "solution", I will post it.

LordShryku

Actually, there's never going to be a need to "sniff" the javascript. All I did was save the page to disk. Any idiot can do that. As Pig pointed out, it's client side, it's going to be available. My best suggestion would be to try looking at some server side solutions. Not everything can be converted to server side, given, but maybe some of it can.

freebie

good point. I should be able to get some of it into server-side code

One other thought added to this though would be that if the page with the script is opened in a popup (ie, with no menu bar), and right click was disabled, you wouldn't be able to save the file, and if caching was disabled on the page, then it would prevent the user from saving the script and would need a sniffer to get at the code.

LordShryku

Try it. Betcha I could save the file 😃

freebie

somehow I just believe you.

LordShryku

Just trust me that, when regarding client side products, anyone with have a brain and a browser could get the code. So if at all possible, do it server side. That way, they have to have access to the server's file system to get to it.