I have a php script called from html tag, as
<script src="js/myscript.php"> </script>
Please help me finding a php function to detect if this script is called directly or from script tag of my website.
I wish to prevent someone pasting link to address bar and getting content of myscript.php, as
http://www.mysite.com/js/myscript.php
Not much you can do here other then check the $_SERVER['HTTP_REFERER'], which by no means is a secure way of doing this. Its pretty much impossible to do what your asking as there are simple ways around this.
Your best bet would be to obfuscate the code which would make it harder to read should they load the URL, but again, there are ways around this also.
If you are using javascript, you CANNOT prevent everyone being able to see it. You can't expect a browser to be able to do what the script tells it to do without telling it what to do :)
Your file ext is a PHP, but it is in a js folder. If the output is only JS, you can't stop people being able to view it in any real reliable manner.
Related
I need to get the contents of a website through PHP, however, the content is only available when JavaScript is enabled. The workaround that I am using now is making an applescript to open the website in Safari, and selecting all of the page content, copying it to the clipboard, and pasting it.
That will be really hard to achieve I guess. If you observe the JS on that page that is responsible for getting the content ready, you may discover its just another AJAX call that you may be able to call directly from your PHP script.
best possible solution: ask the website owner for api/export access ;)
If that is not possible, you can only pray that you can analyze the requests that are initialized via JavaScript and imitate them.
(possible tools: firefox with firebug or tamper data plugin).
Warning the owner of the website might not like this approach, in fact, it may be disallowed to scrape the data automatically
What do you mean by:
the content is only available when JavaScript is enabled
Does the page pull data from somewhere via JS? Would it be easier to analyse where the data is coming from and access that place directly from PHP?
Let's say I've to include the following line with my website header:
<script type="text/javascript" language="javascript" src="file.js"></script>
Now anyone easily can visit my--web--site/file.js and view its source.
So, I wonder if there any idea I can rename file.js to file.php and still able to call it and works fine, so that no one can view it by visiting my--web--site/file.php.
Any idea?
About the only thing you could do is to make it difficult to read and understand your JavaScript code.
Check out this post on the YUI blog about Minification and Obfuscation. Minification will have the added benfit of making your script smaller and thus load faster.
Take special note of what the article has to say in its closing paragraph:
Then finally, there is that question of code privacy. This is a lost cause. There is no transformation that will keep a determined hacker from understanding your program. This turns out to be true for all programs in all languages, it is just more obviously true with JavaScript because it is delivered in source form. The privacy benefit provided by obfuscation is an illusion. If you don’t want people to see your programs, unplug your server.
Javascript is distributed as source - if your users can't view it, they can't run it - so no, not really.
What you can do, if you are paranoid, is obfuscate and minify (google "minify javascript") the source before deploying.
This is far from bulletproof though (chrome for instance, has a very nice pretty printer in its debugging tools).
No, you cannot do this. If a person's browser is able to read your JS file, that person must also be able to read your JS file. That is how the Internet works. This is good and desirable behaviour, and you shouldn't try to keep people from reading the CSS/JS/HTML that composes your website. It is completely self-defeating and serves no purpose. Nobody is interested in stealing your JS code.
If you don't want people seeing the contents of your web page (including your JS), don't put it on the internet!
Anyone with a debugger on the client can grab your script no matter how you serve it up to the client.
No. The JavaScript file is downloaded and executed on the web browser. This means that the user needs to be able to download it.
You can obfuscate it using some kind of obfuscator that makes it a lot harder for people to read, yet keep it functional by the client.
I have seen that some web sites have a PHP script to redirect the user to another web page if they try to access JavaScript files directly. How is that done?
Unfortunately, as the previous answers have stated, you can't prevent one from seeing the contents of a JS file; if you could do that, how is the browser supposed to parse it?
The next best thing to do is to "Obfuscate" it using something like http://www.javascriptobfuscator.com/default.aspx
This will convert your human-readable code into a bunch of character codes and obscure function names. The Obfuscator I linked to generates a unique ID and bases its encryption on that ID, making it harder to decrypt.
However, this isn't fool-proof, and someone who really wants to get at your JS, for whatever reason, will do it. Anything you really don't want users to have access too should be done server-side. ;)
No, that's not possible.
There are plenty of ways how to get JS files. Nothing helps in protection.
Javascript is meant to be client side. That means it always gets executed on the browser which is local and thus can not be hidden.
I was wondering, I want to plant a JS tracking code (analytics) in a few websites to track their traffic. But I don't want that when viewing the site's source code people will be able to see that I've embedded the JS tracking code there.
Is it possible? Maybe by using an Apache/PHP trick?
Thanks,
Roy.
Nope it's not possible, for the browser to execute any code at least some of it must be initially visible, even if that code is to then retrieve the tracking code itself.
In addition all the modern web developer tools provide access to any code that is loaded so anyone can use those to see anything you've attempted to load discretely.
The more important question is why you want to hide that you're tracking people?
It's not absolutely possible with Javascript. Javascript always runs in the context of the user's browser, so it always means that the user will have access to see the script. You can obfuscate it, or try some tricks similar to anti-hotlinking on the JS code, but it will still be relatively easy for someone to figure out what the code does with a simple tool like Firebug.
You can, however, track your traffic without JavaScript. Analytics uses JavaScript for portability, and because some of the data it accesses can only be accessed with JavaScript. However, there are more passive ways of tracking your traffic which don't require JavaScript, such as any log analyzer like AWstats. You just don't get some of the cool features of Analytics.
It's not possible, but you could just name your script file something innocent like "mouseover.js".
It's not possible: JS code has to be run by the web browser, which means that -- which ever way you try put it -- it has to be readable by the browser and thus by anyone that inspects the page.
You could try obfuscating the JS, but that won't stop anyone that is determined to see what's happening.
You could ask yourself what the odds are that more than a few people will check whether you're tracking them -- I wouldn't expect it.
You can't technically hide the code... But you can scramble it so it's not readable to anybody. I used http://hivelogic.com/enkoder/form by Dan Benjamin to scrable some JS on my page (in this case I scrambled my email address). It scrambles it so the browser can execute it, but it's not humanly readable...
Then you can just call it as a function like I did in from this script http://www.jamischarles.com/css_js/email_encoder.js. Give it a try.
Just wondering if it's possible to screen grab a page you are viewing with a PHP script or javascript? For example, load up a page in an iframe and then save that view as a JPEG?
I'm sure it's possible somehow, but are there any known implementations/libraries that help out?
Nope, sorry, it is impossible with Javascript and definitely impossible with a server-side language like PHP. (Edit: I mean it's impossible to take a screenshot of the user's view of the page.)
It depends on what you want to do this for, but you might want to find a script or program that runs server-side and renders the webpage there. But if you really want to take the screenshot of the user's view of the page, it's pretty much impossible.
http://html2canvas.hertzen.com/ might do the trick.
There is a python tool called Webkit2png, hope it helps. But in PHP, i don't believe its possible
You can't do it in JS but you could do something similiar server side if you know the url of the page you want to convert to an image.
Tools like khtml2png could be called from php to render the page.
Possible with the GD2 extension and some knowledge of the internals you are capturing - read here for an example.
Thanks for the help guys. I did find this interesting resource:
http://www.zubrag.com/scripts/website-thumbnail-generator.php
It's not PHP specific by any means, just an example of running an EXE script that is called by PHP. Needs a windows server I believe though.