1

Is there a way i can encrypt or scramble a certain text so it cannot from browser view source. For example if i have a video id 117 showing in the view source html, and i want to encrypt that or make it difficult to read, is this possible.

Pinkie
  • 10,126
  • 22
  • 78
  • 124
  • As if no one would get it? LOL – Sujit Agarwal Jun 04 '11 at 08:12
  • @Coding-Freak It' surely possible to get, but wondering is there's a way to make it hard to read for the average user. – Pinkie Jun 04 '11 at 08:13
  • What is the point of doing this? – Gumbo Jun 04 '11 at 08:15
  • @gumbo It would be useful for scrambling email addresses – Pinkie Jun 04 '11 at 08:19
  • @Pinkie: Is that the particular application or just another example? – Gumbo Jun 04 '11 at 08:20
  • @gumbo just another example. Whether it's text id or email address. It can be useful is many scenarios. – Pinkie Jun 04 '11 at 08:21
  • 1
    @Pinkie, if you're looking to scramble email address, do what GitHub.com does: encode every character using URI escape codes, and use JavaScript's decodeURIComponent() to render it on screen. So when a user does a "View Source", all they see are a bunch of what appear to be random numbers, letters, and percent symbols (%). – Kevin Herrera Jun 04 '11 at 08:24

4 Answers4

4

Since the browser must be able to properly render the page, the source code will always be available in one way or another.

You can however obfuscate the code quite a bit. Search for html php obfuscation and you'll find good links. Here are a few:

The following code for instance:

<html>
<body>
<a href="videolink.php?id=117">link</a>
</body>
</html>

can be scrambled / obfuscated into

<script language="JavaScript" type="text/javascript">
// Copyright © 2005 Voormedia - WWW.VOORMEDIA.COM
var i,y,x="3c68746d6c3e0d0a3c626f64793e0d0a3c6120687265663d22766964656f6c696e6b2e7068703f69643d313137223e6c696e6b3c2f613e0d0a3c2f626f64793e0d0a3c2f68746d6c3e";y='';for(i=0;i<x.length;i+=2){y+=unescape('%'+x.substr(i,2));}document.write(y);
</script>
Community
  • 1
  • 1
aioobe
  • 413,195
  • 112
  • 811
  • 826
  • ...which can easily be viewed -- decoded -- using the DOM inspector built into Chrome, IE9, Safari, or Opera, or Firebug on Firefox. Or even just right-clicking the link and doing "Copy". – T.J. Crowder Jun 04 '11 at 08:20
  • yep... Can't think of any obfuscation technique that would be resistent against such, yet simple, deobfuscation. – aioobe Jun 04 '11 at 08:30
4

If you want the video link to be useless except in the context of the page you've just returned to the client, you can do something with server-side code.

The usual thing is a one-time or limited-duration ID that's generated specifically for the page. For instance, ab23jjgk23098jajzklwravmzzxwrpo2q3476as rather than 117. On the server, you have a table mapping these one-time / limited-time IDs to the real ID. In the table you can also link the ID to the IP address of the request for the page, and then only respect the ID if the request for the video comes from that same IP address. It's important that the IDs not actually contain the video ID (obfuscated or not), hence the server-side table, and that they be effectively random.

I say "table," but of course it needn't really be a database table. It could be anything that lets you store key/value pairs, such as memcached.

Update based on your comment below.

Without server-side mapping (database, session, memcached, etc.), all you can do is some obfuscation, and it's going to be easy for anyone semi-technical to break. If what you're outputting is a URL (in a link, in an object tag, etc.), you can use URL-encoding to make it hard to read, e.g.:

<a href='video.php?%6e%6f%6e%73%65%6e%73%65=%66%6f%6f&%69%64=%31%31%37&%72%75%62%62%69%73%68=%62%61%72'>video</a>

...which, when clicked, will call your video.php file with the parameters nonsense=foo, id=117, and rubbish=bar (that's what's encoded in the query string, using percent-encoded entities). But again, although it might deter non-technical people, technical people won't be fazed.

T.J. Crowder
  • 1,031,962
  • 187
  • 1,923
  • 1,875
1

In addition to tj's answer, you could also use a session value to direct the user to the video, or even use a limited duration cookie to store the one time id, which expires when the id does, so the user could return to the video if they accidentally navigate off it.

Sean
  • 696
  • 2
  • 9
  • 24
1

Perhaps make a little flash app that the link calls a method via javascript (see ExternalInterface) that decodes the passed link data and navigates to. Still can be reversed, but much harder then just using the browsers DOM Inspector.

You could also encrypt the link using some strong encryption such as Blowfish and a key only known to the flash app, but really its up to you how secure you want this to be, and again, once that key has been reversed from the flash swf anyone can decode the link data.

Geoffrey
  • 10,843
  • 3
  • 33
  • 46