1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

php do not show html if called directly

Discussion in 'PHP & Perl' started by MoneyMafia, Feb 26, 2010.

  1. MoneyMafia

    MoneyMafia Regular Member

    Joined:
    Dec 2, 2007
    Messages:
    290
    Likes Received:
    310
    Hello everyone,

    I'm working on something and I need a little bit of help..

    So the issue.... I need to protect some javascript code that is generated on thy fly by php in 2 steps

    1) If some one call www.site.com/jscode.php the script will not show anything but if is called like <script src="www.site.com/jscode.php"> to show the javascript.. Any clue how I can do that... ?
    2) javascript code will be obfuscated on the fly using http://dean.edwards.name/download/#packer php version ..and here another question arise.. Will some antiviruses detect something like function(p,a,c,k,e,r).....unreadable code as malicious code ?!?

    Thanks and looking forward for your answers
     
    Last edited: Feb 26, 2010
  2. viracide

    viracide Registered Member

    Joined:
    Oct 12, 2008
    Messages:
    66
    Likes Received:
    14
    No, they most likely will not call it as a virus.
     
  3. MoneyMafia

    MoneyMafia Regular Member

    Joined:
    Dec 2, 2007
    Messages:
    290
    Likes Received:
    310
    for 1) ok did some testing and the only difference in headers i can find is this

    called directly

    Code:
    [GATEWAY_INTERFACE] => CGI/1.1
    [B][COLOR="Red"][HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    [/COLOR][/B]   
     [HTTP_ACCEPT_CHARSET] => ISO-8859-1,utf-8;q=0.7,*;q=0.7
    
    called with javascript

    Code:
    GATEWAY_INTERFACE/CGI/1.1
    [B][COLOR="Red"]HTTP_ACCEPT=> */*[/COLOR][/B]
    do you think I can rely only on this ?
     
    Last edited: Feb 26, 2010
  4. MoneyMafia

    MoneyMafia Regular Member

    Joined:
    Dec 2, 2007
    Messages:
    290
    Likes Received:
    310
    Okie I've solved my issues. If anyone is interested I will post the solution here

    First of all I check if the referrer is blank..If it is then the file is called directly and someone want to take a peek on my js code so I show nothing
    Code:
    if ( (!isset($_SERVER['HTTP_REFERER'])) OR ($_SERVER['HTTP_REFERER'] == ""))
    {
     exit();
    }
    You may also show some dummy javascript which the viewer will copy it and will get mad thinking why is not working

    Secondly I encript my javascript on the fly using an open source packer

    Code:
    http://dean.edwards.name/download/#packer
    This should keep most of the common eyes far away from your dirty tricks as can be used for CS, fake traffic ,fake votes etc etc :batman:
     
  5. SpamHat

    SpamHat Junior Member Premium Member

    Joined:
    Apr 27, 2009
    Messages:
    151
    Likes Received:
    67
    Location:
    UK
    If this is mission critical then you're shooting yourself in the foot by using the referrer. There are plenty of plugins for FF that block, change, fake or randomize the referrer at will.

    What I'd probably do to stop casual snoopers is load the JS with an encoded piece of ajax after the page loads and only return the true script if some time-key and quick encoded var check is passed. Basically call your ajax script with a dynamically created url var, encoded timekey+userip+requesturi (or something similar) on each page load. Just check this is valid in your php script and output what you like depending on the results.
     
  6. givemelove

    givemelove Junior Member

    Joined:
    Feb 27, 2010
    Messages:
    107
    Likes Received:
    87
    Well what SpamHat seems more viable to me... but theres no fool proof method to save your javascript code anyways... i tried it earlier... but as you know it, whatever is made, can be broken (except php of course, no way that someone can get your php code)