0

I have the following code:

<?php

$secret_data = "data noone can know";

?>

bla bla bla alot of html

<script type="text/javascript">
function("bla bla", {
data: '<?=$secret_data?>'
}
);
</script>

When people view the source in their web browser they will know the data. How can I use it in my JavaScript but still keep it safe?

Can I in some way put the JavaScript within the PHP?

Bill the Lizard
  • 398,270
  • 210
  • 566
  • 880
Hostse
  • 1
  • 3
  • 2
    You can't. Anyone interested enough can find it. – Salman A Feb 02 '13 at 20:57
  • 3
    When using client technologies, the code is visible to the user. You will have to try and do it on the server side if you want to keep your data safe – Goaler444 Feb 02 '13 at 20:58
  • 2
    What are you trying to do with the secret data? – Michel Feldheim Feb 02 '13 at 20:58
  • 2
    I think [Obfuscation](http://en.wikipedia.org/wiki/Obfuscation_%28software%29) and [Minification](http://en.wikipedia.org/wiki/Minification_%28programming%29) –  Feb 02 '13 at 20:59
  • hmm how would i be able to do it server side? – Hostse Feb 02 '13 at 21:01
  • 2
    @Hostse — We can't tell you, we don't know what "it" is. – Quentin Feb 02 '13 at 21:02
  • well i need the javascript to use the secret data, without letting the end user see what it is. – Hostse Feb 02 '13 at 21:06
  • @Hostse That isn't how javascript works. Js is always visible to the user, so the second you make it visible to the javascript, it becomes visible to the user. – Daedalus Feb 02 '13 at 21:07
  • 1
    @Hostse — As has been mentioned several times, that isn't possible. "The JavaScript" (currently) runs on the client. To process data with it, the data must be sent to the client. The client is under the control of the user. The user can therefore see the data. The only way to keep it secret is to do whatever you want to do with JavaScript on the server instead of in the browser. – Quentin Feb 02 '13 at 21:07
  • how would i do it on the server instead of client side? – Hostse Feb 02 '13 at 21:08
  • @Hostse We don't know what you're doing, so we couldn't tell you. – Daedalus Feb 02 '13 at 21:08
  • 1
    @Hostse — I don't know. You *still* haven't said what "it" is! – Quentin Feb 02 '13 at 21:08
  • well it is used in the javascript as a id for a users content. When another user needs to view the users content it is used in the javascipt. but if another person knows this id, it can be edited by that user. so therefore it needs to be hidden. its basically secret stuff ;) – Hostse Feb 02 '13 at 21:11
  • @Hostse Depending on your server logic, that isn't always true. – Daedalus Feb 02 '13 at 21:11
  • @Daedalus well in my case it needs to be hidden, as anyone who knows this id can edit it, which we would not like. – Hostse Feb 02 '13 at 21:13
  • as i wrote earlier in my question it is used someway like this in the javascript: – Hostse Feb 02 '13 at 21:14
  • @Hostse I was hinting at you changing your server logic. Knowing the id shouldn't be an easy way to edit another user's content. What you need to do is check to see if the id of the current user is the author of the content - server side -, and act accordingly. – Daedalus Feb 02 '13 at 21:15
  • @Daedalus that is not possible, as the system is already build. I just need to hide it or make it harder to read, as the code changes every 24 hour. – Hostse Feb 02 '13 at 21:17
  • 1
    @Hostse Then you'll have to change it, as has been said several times now, what you ask for is impossible. – Daedalus Feb 02 '13 at 21:19
  • 2
    That is why designing your application well from the start, and knowing the type of technologies you use is so important. It avoids all this mess. The only way for you to keep it safe and secret is on the server side. I hate to break it to you, but its the only way =/ – Goaler444 Feb 02 '13 at 21:21

3 Answers3

1

What you're currently doing works but the end user will be able to see the "secret data". Anything client side will be visible to the user. If you need to pass some data to a script that you don't want the user to see you can store it in a session.

<?php
    session_start();
    $_SESSION['secret_data'] = 'data noone can know';
?>
SeanWM
  • 16,789
  • 7
  • 51
  • 83
  • how would i then use it in the javascript? without letting the end user know? – Hostse Feb 02 '13 at 21:03
  • url: '', ? – Hostse Feb 02 '13 at 21:05
  • 1
    @Hostse And thus, the data is no longer secret. All js is visible to the user. – Daedalus Feb 02 '13 at 21:05
  • hmm, is there a way to hide it or something? – Hostse Feb 02 '13 at 21:06
  • You wouldn't use it in the javascript if you want it hidden. – SeanWM Feb 02 '13 at 21:07
  • Javascript cannot be hidden -- it's all client-side so essentially everything you do with Javascript has to be present in some shape or form for the user. You can test your JS code without internet right? By using a SESSION, which is php related and thus server-side, your user cannot see what's going on because it is all server side. The best way to "hide" JS stuff is as Akam said -- to obfuscate or minify your code. It'll make it a lot harder to read. – aug Feb 02 '13 at 21:14
  • @aug and how would i do that? – Hostse Feb 02 '13 at 21:15
  • 2
    @Hostse To obfuscate or minify would not hide your relevant Id, if that is what you're thinking. – Daedalus Feb 02 '13 at 21:18
  • @Hostse Some relevant question to minify/obfuscate http://stackoverflow.com/questions/1737388/how-to-minify-javascript-code and http://stackoverflow.com/questions/194397/how-can-i-obfuscate-javascript but yeah be aware of what Daedalus said. – aug Feb 02 '13 at 21:41
1

When using client technologies, such as Javascript, it is impossible to keep your source code hidden and secret. Its one of the fundamental principles. It runs on the client side.

Taken from this site:

JavaScript is what is called a Client-side Scripting Language. That means that it is a computer programming language that runs inside an Internet browser (a browser is also known as a Web client because it connects to a Web server to download pages).

Unfortunately, your statement therefore does not make sense:

well i need the javascript to use the secret data, without letting the end user see what it is

To keep code/information secret it must be implemented/stored on the server.

I would encourage you to look in further on how Javascript actually works. Here is an image depicting the typical architecture:

Server Side and Client Side Technology

Goaler444
  • 2,591
  • 6
  • 35
  • 53
1

When another user needs to view the users content it is used in the javascipt. but if another person knows this id, it can be edited by that user. so therefore it needs to be hidden

Your problem is:

  • If a user knows the id they can view the content
  • If a user knows the id they can edit the content

You want only the user who created the content to be able to edit it, but anybody who knows the id to be able to view it.

As your system currently stands, you can't keep the id secret without making the content impossible to view or edit, and you can't provide it without making it possible to see and edit the content.

Thus trying to keep the id secret is not the solution here.

You need to add an extra layer of checking to your system. Since anybody who knows the id is allowed to view the content, you can leave the viewing portion as it is.

Since only the user who created the content is allowed to edit it, then that needs extra protection. When a request comes in to edit the content, you must authenticate that the request came from the a known user (i.e. that the user is logged in) and you must make sure that they are authorized to edit the content (i.e. that the username of the logged in user is the same as the username of the user who created the content or that they are an admin or have some other suitable permission).

That layer of auth/authz can be done on the server.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335