0

How to hide the src as shown in below. If the example.php contents php , MySQL functions and forms. So how do I hide the src when some visitor checks view source in the page.

<iframe src="example.php" height="300" width="200" scrolling="no" sandbox="allow-forms" seamless="seamless" id="example1"></iframe>

<div id="panel">

content

</div>

ruchaidan
  • 85
  • 1
  • 3
  • 12

3 Answers3

1

Even if you can find a way to hide the iframe src, the visitor can see it by debug tools such as firebug.

cem
  • 1,535
  • 19
  • 25
  • So is there anyway not show it? I have seen some sites with a script on the iframe and it is not showing the src or the iframe – ruchaidan Oct 31 '13 at 13:50
  • Then the iframe is maybe created dynamically with JavaScript. Still it's possible to get the source, it's just a bit harder – Reeno Oct 31 '13 at 13:51
  • No, it's not possible. – Guilherme Sehn Oct 31 '13 at 13:51
  • Maybe you can try to use something like CSRF protection if PHP has something such, but still, it is not %100 secure solution. – cem Oct 31 '13 at 13:54
1

First, the user won't get the .php-File like you see it on the Server (if you have a PHP-Server). It will get parsed and what will remain is plain HTML. So your user won't see SQL-Queries, etc.

But what you're trying to do is impossible. That's not how HTML works. What you see when you click "show Sourcecode" is exactly what the browser uses to display the Page. So if you won't deliver a src-value for your iFrame, than the browser won't be able to show it correctly

Richard
  • 741
  • 2
  • 7
  • 17
  • Thanks. But when it goes to example.php in the url ? and && will be there so they can sql inject it. I need to protect that. How can I do that? – ruchaidan Oct 31 '13 at 13:56
  • You have to implement security ALWAYS on the Backend. To read about sql-injection, you can find a lot of information on this very site: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Richard Oct 31 '13 at 14:02
0

In the past I searched also something for this problem and I found a node.js plugin that can protect your code with obfuscation and other stuff. Please read his readme to understand why you can´t protect javascript code for 100% and how you should do it. He explained it very well.

https://www.npmjs.com/package/location-hide

There is also a LIVE DEMO: http://www.forbiddentube.online/samplepage

You import as example your index.html or every other file that fs can read and the output will be like this:

Before:

<script src="_/sample.js" type="text/javascript"></script>

After: <script data-wchIyvpKUkArTeyUIZsCekKZRROZZzMNErjvtdIqWGkytjDyhJ="bCCnkxHMRCbEnVtvOWxOqBtKgsYkZEmWzPKybVKvJktkXTWDnc" type="text/javascript"></script>

Then in a external js file you can add the generated jquery code that will be generated in a external file: $(document).ready(function() {
var qRlhGXpAjYCmwyVlAnbJmUABkGzIavYdkcVArRvICzLhaeJbbV = document.querySelectorAll('[data-wchIyvpKUkArTeyUIZsCecKZRROZZzMNErxvtdIqWGkytjDyhJ="bCCngxHMRCbEnVtvOWxOqBtKgsYkZEmWzPKybVKvJGtkXTWDnc"]');
$('[data-wchIyvpKUkArTeyUIZsCecKZRROZZzMNErxvtdIqWGkytjDyhJ="bCCngxHMRCbEnVtvOWxOqBtKgsYkZEmWzPKybVKvJGtkXTWDnc"]').attr("src", "_/sample.js");
$('[data-wchIyvpKUkArTeyUIZsCecKZRROZZzMNErxvtdIqWGkytjDyhJ="bCCngxHMRCbEnVtvOWxOqBtKgsYkZEmWzPKybVKvJGtkXTWDnc"]').attr("src", "").delay( 10000 );
});

Since Version 1.3.6 is FSIG(Fake Script Include Generator) part of this project. This nice tool allow you to add fake include scripts. As example <script src="_/Dniw94XqAh6v69sMOy3PlajC0WlMZASgxs37FlnVcW5cX4k8vuwLTcyD3tWYxZPH1OBxRrnFRtKVf5bXbd24rNcdVfWNuBrhvaMl.js"></script> <script src="_/TXCRCSq5xo335CGmApFbqWggJuiZmIzuPXGgHKWuQljXqIvKSdVeO4qNUmTcaIRlVpZ0wfA6h1I9MviVOs0KiD7bdRgNYiSy3gUD.js"></script> <script src="_/vYmuX2f5tY3L0WGIBclT5j1qWyF2g5bEj026ZW90HzIaCMFjneLB2lYmofRbMy51YKXuiMbhNmNICKSk99OS6yoTTly2wAWVGQMp.js"></script>

This code will be paste at the end of your crypted file. You should cut it out and paste it directly before your


I used this plugin for my blogs and it works like a charm.

Lena Huren
  • 1