Simple way to obfuscate javascript code by PHP

Question

I want to give a free download to my web visitor but I will hide the download link until they click the facebook like button. After they like it then jquery will make the button active and add 'href' attribute to the tag, contains path to the file, so then user will be able to click the link and download the file.

The problem is, user will be able to see the path easily when viewing source of the html in their browser. Is there any easy way in php (I put the javascript codes inside on PHP file) to make a the path is harder to read?

It's fine when people will be able to deobfuscate it. I just want to make it harder to read for non advance user, so then people will consider to like the link instead of finding a way to deobfuscate the code.

Thank you

People will like it if the download is good. Else, you should not force them to like… — Bergi, Dec 07 '12 at 14:25
This seems **unethical** and possibly violates a TOS: requiring a LIKE from the user to pay for software that hasn't been tried yet.... before the user knows if the download was good, complete, compatible or even relevant. In this way a download with spyware, adware, or just an obscene troll, can gain an undeserved endorsement. — Paul, Dec 07 '12 at 14:44
@Paul lol This won't be something like that. I just want to give free design/psd files (just like icons, psd themes etc) to my website visitors and as a giving back their 'like' will help me to spread my website through their facebook. And also, as this is just a design stuffs, user will be able to see the image preview of file in the blog content. — webchun, Dec 07 '12 at 14:56
@dreamexploded I don't want to assume any negative intent on your part. Trying to get any kind of acknowledgment for free icons, utilities, etc... is difficult because of all the takers. Still, this Q&A creates a controversial recipe. — Paul, Dec 07 '12 at 15:10

score 3 · Accepted Answer · edited May 23 '17 at 10:29

The only way to really do this properly is, of course, for the button press to make a round-trip to the server to retrieve the URL, via ajax or whatever.

But if you don't want to do that, and just want to obscure it, there are plenty of options. Base-64 encoding, for instance, has good support both in PHP and JavaScript, so you could encode the path on the PHP side (with base64_encode) and decode on JavaScript once the button is pressed (using any of several solutions discussed here on Stack Overflow).

score 1 · Answer 2 · edited Jun 20 '20 at 09:12

You can try something like this:

ob_start();
# Insert regular JavaScript here...
$generatedoutput = ob_get_contents();
ob_end_clean();
$generatedoutput = str_replace("\\\r\n", "\\n", $generatedoutput);
$generatedoutput = str_replace("\\\n", "\\n", $generatedoutput);
$generatedoutput = str_replace("\\\r", "\\n", $generatedoutput);
$generatedoutput = str_replace("}\r\n", "};\r\n", $generatedoutput);
$generatedoutput = str_replace("}\n", "};\n", $generatedoutput);
$generatedoutput = str_replace("}\r", "};\r", $generatedoutput);
require('javascriptpacker.php');
$myPacker = new JavaScriptPacker($generatedoutput, 62, true, false);
$packed = $myPacker->pack();
echo($packed);

And add this way:

<script language="JavaScript" type="text/javascript" src="js.php"></script>

^{N.B: Originally from sites.google.com/a/vansteenbeek.net/archive/obfuscate_javascript, which is now a 404}

score 1 · Answer 3 · answered Dec 07 '12 at 14:32

Perhaps you could just store the path server side and have the frontend pass a special code to a remote endpoint once the item has been "liked".

$([however you're binding to the like button]).on('click', function() {
 $.getJSON('/download_link.php', {'key': <some unique key>}, function(response) {
   if(response.status == 'valid') {
     $('<div><a href="' + response.path + '">Download the item now!</a></div>').appendTo('body');
   }
   else {
     alert('invalid security key');
   }
 });
});

If you're worried about people easily seeing the routine, then go to packer (http://dean.edwards.name/packer/). It's not secure but it will deter your average joe from seeing the code easily.

FYI the code above looks like this when packed:

eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('$([m h\'9 e l 2 5 6]).7(\'8\', 3() {\n     $.b(\'/c.d\', {\'1\': <f g 1>}, 3(0) {\n       i(0.j == \'k\') {\n         $(\'<4><a n="\' + 0.o + \'">p 2 q r!</a></4>\').s(\'t\');\n       }\n       u {\n         v(\'w x 1\')}})});',34,34,'response|key|the|function|div|like|button|on|click|re||getJSON|download_link|php|binding|some|unique|you|if|status|valid|to|however|href|path|Download|item|now|appendTo|body|else|alert|invalid|security'.split('|'),0,{}))

You'll need to return the following from the download_link.php file:

<?php
  if(valid_key($_REQUEST['key'])) {
     header('Content-Type: application/json');
     echo json_encode(array('status' => 'valid', 'path' => generate_secret_path()));
  }
?>

Hope that helps.

+1 for dean.edwards packer. There is also a PHP version. So you can encode javascript on the server as well. — Meister Schnitzel, Oct 08 '14 at 13:37

Nathan Wall · Answer 4 · 2012-12-07T14:39:37.383

0

There are lots of ways to do what you want. Here's a simple algorithm that can build a URL. You can use this as inspiration. The following algorithm builds the URL "http://www.google.com/"

var url = [
    72, 84, 84, 80, 26, 15, 15, 87,
    87, 87, 14, 71, 79, 79, 71, 76,
    69, 14, 67, 79, 77, 15
].map(function(u) {
    return String.fromCharCode(u + 32);
}).join('');

console.log(url);

edited Dec 07 '12 at 14:39

answered Dec 07 '12 at 14:31

Nathan Wall

10,530
4
24
47

Simple way to obfuscate javascript code by PHP

4 Answers4

You can try something like this: