Hide your JavaScript with PHP sessions
The key to this approach is to encapsulate your JavaScript in a separate PHP file, and to use a PHP session to restrict access to those scripts except when you want it to be explicitly permitted (i.e. when you want to run them from a specific page). To accomplish this, we first create a PHP session on the page from which we want to run the JavaScript.
< ?php
session_cache_limiter('none');
session_start();
if(!$_SESSION['allow_script'])
{
$_SESSION['allow_script'] = true;
}
?>
Placing this PHP at the top of your page opens a
The next step is to move whatever JavaScript you want to execute over to another file called ‘script.php’ This file should contain your JavaScript wrapped in a PHP tag, along these lines:
< ?php
if(!$_GET['allow_script'])
{
session_start(); //restart the session from the previous page
}
if($_SESSION['allow_script']) //execute the javascript only if the variable is passed
{
header("Content-type: text/javascript");
?>
alert("Hello World! JavaScript executed.");
< ?php
}
?>
This portion of the PHP guarantees that the JavaScript generated by it does not appear to the end user, even if they navigate directly to script.php. The $_GET['allow_script'] check insures that the user is not trying to do an end-around by passing the allow_script variable with a value of ‘true’ directly to the script.php page, which would obviously allow them to view the JavaScript source.
Finally, you need to unregister the variable and close the session:
< ?php
$allow_script = false;
session_unregister('allow_script'); //delete the variable from the session
session_unset(); //make the session inactive
session_destroy(); //and toast it for IE
}
?>
NB: session_destroy() is not necessary for
The end result of this simple process is a nicely hidden, encapsulated JavaScript that can be called with the simple line:
<script language="JavaScript" src="script.php">
Now your existing JavaScript (with all its client-side capability) can be easily referenced within your code, without leaving it vulnerable to the
Comments
Xyc (Aug 27, 2009)
Finally, you need to unregister the variable and close the session:
Where do you place this code? In the HTML file causes the Javascript to fail (not run). In the javascript file still allows the code to be viewed.
Thanks
Vasken (Aug 31, 2009)
@Xyc,
That code should be in the main php file, not the javascript. It's funny that it's not working for you…it's been several years since I wrote this article, so let me test it and see if something's changed with PHP.
bogo (Jan 09, 2010)
could you send me an example.. pls
Vasken (Jan 11, 2010)
@bogo,
Sorry, the code above is the only example I have. I'm not sure this would still work…it's been nearly 4 years since I posted this.
Mehran (Apr 30, 2010)
Thanx for script , but it just works for firefox when you manually type the url , and when u reload the page and click view page source and click on the
script.php
it shows the whole thing unfortunately.
any suggestion?
Vasken (Apr 30, 2010)
I think this used to work because of how sessions were handled in PHP back in the day. I'm pretty sure session handling has improved to where this is no longer possible. Kind of a bummer…
Mehran (Apr 30, 2010)
can this line be written in php
i saw a method
?>
in this way it doesn't show the link , but show the script file in the same main.php
stupidly,
can we come up withe a php code just like above but not with "_get" so the code would not be shown
?
Mehran (Apr 30, 2010)
I meant that source code that links to java script in main.php
, and that method cant be shown here but it was a small php which was using echo and _get
Vasken (May 06, 2010)
I'll play around with it and get back to you.
jeff (Sep 28, 2010)
I have that same method. I created a class for it and it works good it is hidden in the browser i tested it almost all browser.
vaskenhauri (Oct 05, 2010)
@jeff Thanks for the update. Any chance you would be willing to post an example of your code or at least send it to me so I can add it to the article?