This question already has answers here:
How can I obfuscate (protect) JavaScript? [closed]
(22 answers)
Closed 8 years ago.
I have written a lot of functions which use ajax to call PHP functions in my main.js file. The problem is that anyone can see my logic and internally called php file names of website by viewing the page source. How should I prevent the people from viewing my javascript file?
Javascript can be obfuscated, but there's nothing that's going to prevent a client from
seeing the URL strings in your code, or
simply inspecting the HTTP requests themselves to determine what URLs are being hit.
This re-enforces the importance of making sure you write solid and secure server-side code. You also want to make sure your web server is configured and secured properly, so that (for example) clients are unable to download the PHP source directly.
You can't stop people from viewing your javascript file, because the readable javascript code is required to correctly execute that code on your page. You can obfuscate the function names and minify the javascript to make it harder to read, but if someone wants to read the file, this will not stop them from doing so.
Instead, you should assume that everyone knows everything about your javascript file, and that everyone is able to alter your javascript file. You shouldn't put any validation solely in your javascript file and in every php page you should somehow check if the request that is made is valid (e.g. was the user allowed to do an ajax request to a certain page at a certain time?).
You can't able to hide the Javascript in browser, If you did that, your javascript related operations won't run.
you cannot hide javascript files. but you can minify the code so that, it will be very difficult for a man to read and understand your logic and all.
something like this
http://code.jquery.com/jquery-1.10.1.min.js
Related
This question already has answers here:
One big javascript file or multiple smaller files? [duplicate]
(7 answers)
Closed 6 years ago.
I have 4 types of js file and here are the list:
bookmark.js, status.js, auth.js and photo.js
Question:
Should i load the js only for specific page or i will compile everything into 1 js?
Does affect loading webpage if i use specific js for each page?
So, it depends, exactly in what you're looking for.
In case you're looking for loading speed, I think the best solution is keep them separated, it will allow the browser to load more than one js file asyncronusly.
But, if you need to have smartest code you should keep them in one single file, trying to reduce it more and more.
Remember that you should only think about this on your production code, absolutely is better to have different file working on them.
As you can see if you try the first approach you'll be more fast on page load. An example is a web application who need to load big amount of js files.
loading 3 file of 1MB will be always more fast that loading a single one of 3MB because they will start their loading in the same time.
Another approach is to load js files when your page requires them, but remember that in this case, if you have big js files, the client will see a lot of loadings during his surf on the website your working on.
Here you can read more about js file managment
Are you using any JavaScript front-end framework like AngularJS? If you really only want to include the required JS files you can do that.
In case all html pages use separate javascript files, its better to keep them separate. Based on users action they will be cached on browser end.
To optimize load time you can do the following
Use async inside your script tags so its not blocking rest of the
page and,
Use javascript minification on all of them this will reduce the size of the file and reduce the http payload.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
Issue: I want to run PHP from inside HTML docs, to include HTML via PHP include();.
Q:
Would it be better to change .php to .txt, for my AJAX-loaded pages, and change my .html files to .php?
This would perhaps solve it, but it would be much easier if it worked to allow PHP in HTML. But is that a bad practice, to allow PHP in HTML?
I have my setup described below, to understand my problem with choosing file-extension for my pages/allowing PHP in HTML.
I have an Ajax app, with pure JavaScript.
The AJAX-content files, are with .php extension, and in htaccess I strip away .php from any URL in my site.
Then, in my pushstate, I use the 'data-name + (.html)', in my third statement/parameter for pushstate.
This way the URL will show .html, even if the actual loaded content is from my .php file.
This then solves my refresh and deep-links, as it will always be .html in the URL bar, and the .html file exist's when a user goes directly to that URL.
To run PHP in HTML:
It seems I need access to httpd.conf, which I am looking into, and have asked my server-people if this is supported, and if they can activate it.
Is this kind of setup for a webpage 'generally accepted'?
Am I doing anything fundamentally wrong in terms of 'generally accepted'?
Maybe not fit for Q/A, but common practice's should be OK to ask about.
If you need some php somewhere in your website, the common use is to move everything to .php extension (even file that use html with JS only).
If someone other than you need to put his hands in this app, changing the default worldwide assuming behaviour of the server is definitely not a good practice.
And if you think changing extension to .html allow you to avoid hacking / making magic trick, then you should learn how to really secure your app or use .htaccess rewriting to change the look of your URL.
For your knowledge :
PHP is a server side proceeded language, running on .php file
html is a structural language used by the client browser to apply css
css is the design rules language used by the client browser to stylize the html
JavaScript is a client side proceeded language, running in html usually
AJAX is (±) the use of JavaScript to hit the server and bring back some content if needed
By default on web server, a browser that get back php generate content expect it to be in text/HTML language (you can change it by the use of header())
For AJAX, you can totally avoid using it in fact, the only true down side is that you'll have to reload the page (and wait the server to process the required action) every time you need to hit the server. AJAX allow you to make these call as background task in the client browser, like
"save this form and tell me when you're done"
or
"my user change the filter used, could you send me the products for tag=newTag".
This question already has answers here:
Convert a PHP script into a stand-alone windows executable
(7 answers)
Closed 9 years ago.
I want to make windows standalone app with php, even i want to use database, javascript in that application.
Note : i don't want to give source code to user.
I should be like exe file which user can run.
If going with Windows, try WinBinder. It allows you to develop native Windows applications using PHP.
It also supports SQLite, so you don't need a database server
Also this answer will help you
I use phc to create .exe files out of my PHP source code. It works quite well, but it's mostly good for console applications rather than full webpages.
However, you could have your PHP script include a basic "server" that allows the browser to communicate with it - I have done this in the past too, and while it might seem daunting the results were very rewarding.
This question already has answers here:
How do I hide javascript code in a webpage?
(12 answers)
Closed 9 years ago.
I have a site where I display charts using JS data. I don't want other people to copy my source (meaning have them copy paste my html/JS, etc.). I have seen other websites with charts and if you view the source there is no data there. Are they doing something sneaky? How do I do that? Can you run it on the server side? Can you put it in another file and reference that one? I have the JS linked from an external file but you can still see all the a data in that one if you open it. What is the best way to keep the data from appearing in the source file? I'm not talking about obfuscating it.
Please read this related post:
This thread: How do I hide javascript code in a webpage?
Basically, if a web browser can read it, the end user can access it.
If you wanted to really make it more work to view the source, you would do all of the following:
Put it in an external .js file.
Obfuscate the file so that most native variable names are replaced
with short versions, so that all unneeded whitespace is removed, so
it can't be read without further processing, etc...
Dynamically include the .js file by programmatically adding script
tags (like Google Analytics does). This will make it even more
difficult to get to the source code from the View Source command as
there will be no easy link to click on there.
Put as much interesting logic that you want to protect on the server
that you retrieve via ajax calls rather than do local processing.
You can't hide your JavaScript since it has to execute client side. You can move all your js to external files, but that will not really hide it since someone can just reference the same files.
Basically the key point is that nothing done in JavaScript can be kept a secret from a skilled developer. JavaScript is inherently in plain text.
My understanding was that only the javascript code placed inline in the HTML page would show, never the code stored in .js files
...and I had never seen in any browser code in a .js file show on the clientside...
until I started to use Chrome and noticed all my code is available for viewing???
Have I been convincing myself the code is safe in .js files, when in fact it never was?
and while on this subject can a responder be totally clear whether the code in .js files can be hidden or not.
I have read many posts that left me doubting whether it can be done or not.
. Some say to place it in a .js file on the server so it executes on the server...
--- using 'language=javascript' and an html line with 'runat server'? no idea how to do that.
--- But, would that not defeat the purpose of speed, and refresh since the server has to be accessed?
--- might as well code it in the code-behind???(C#, VB, php, ...)
. Some say use an AJAX call etc... but it seems others contradict that, saying the code lands on the clientside anyway thus will show? ...and I am assuming this would be a callback with no page redraw...
JavaScript is executed in the browser, this means the script has to be submitted to the client. So, of course anyone can view the code, wether it's happening in the developer tools, getting the direct link out of your html or, for example, using a http sniffer.
Altough, there are some methods to make the script unreadable for humans.
Minifying your script is a good practice in general. It decreases file-size, so the client has to download less, speeding up loading time. After all, this does not really help making your script "unreadable" for users, there are a lot of deminifying services all around the web.
Still, there is another way: obscurifying (or obfuscate) your script. This replaces the code to make it unreadable. Unfortunately, I don't really have experience with using this technique, so I don't know how it would affect the performance of the js-code.
Maybe you want to have a look at this: How can I obfuscate (protect) JavaScript?
Javascript code can be seen even if its in a .js file the only thing you can do to make it little tough to understand is minify the js file.
Actually, javascript code stored in a separated file wont be shown directly; the user must explicitly type the name of the file in the address bar to see its content.
The only way to hide it is, as said before, to minify the file, which compress the file and make it unreadable for humans.