Newbie PHP question: 'hiding' code on server from View Source

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I have just started figuring out PHP as a server-side approach to
something I did in Javascript.

I never was able to figure out CGI on a remotely hosted web server the
few times I tried (maybe wasnt' enabled?), but PHP is working
least no problems at all, not my usual experience.

What I would like to do is have the web page visitor access one page
that 'calls' another so that the code isn't visible thru a web
browser's 'View Source'.

Can a .php or .htm file in the 'public', 'www', or 'html' directory
access a .php file in for example the CGI-BIN area, or is there another
way to do this?

A visual example would probably help me more than a description.

Thank you


Re: Newbie PHP question: 'hiding' code on server from View Source wrote:
Quoted text here. Click to load it

Sorry, description first, then example.  ;)

PHP is server side.  It runs *before* anything is sent to the client.

What gets to the browser (the client) is the *result* of the script, not  
the script itself.

Unless the server is set up wrong, the user should never be able to see  
the actual php code.

This is unlike javascript, where the source code has to be downloaded to  
the browser before it can run.  That's why you can do a view source and  
see javascript code (or at least the link to the code, if it's not  
inline with the page).

Lastly, just to confuse things, there is server-side javascript as well,  
but I've assumed here you were talking about client-side code that gets  
run on the browser.  Server-side javascript would be more for things  
like syncronising info between a bunch of client calls, or calling  
(perhaps proprietary) files or routines that lived on the server, not  
the client's machine.

<title>My Page</title>
<!-- Some HTML Code -->
<?php include('subdir/file.php'); ?>
<?php include_once('subdir/file.php'); ?>
<?php require('subdir/file.php'); ?>
<?php require_once('subdir/file.php'); ?>
<!-- More HTML Code -->

Doing a view source would NOT show those php lines, just the result of  
whatever they did.

Check out the manual or our good friend google on when to use which type  
of include/require statement...

Re: Newbie PHP question: 'hiding' code on server from View Source wrote:

Quoted text here. Click to load it

PHP has a command called

require ("page.php");

which will pull another page from the server into the current page,
whether this is PHP or HTML.
You can use it much like an "include" command to pull in PHP routines
or to pull in static chunks of HTML.
If you try to pull in a CGI file - eg somethign written in perl, it
will NOT execute on the server before being included, it will pull in
the raw source code and THEN try to execute it.

Re: Newbie PHP question: 'hiding' code on server from View Source

Quoted text here. Click to load it

Or require_once("page.php"); which is useful if your included files also
include other files of the same name. Then php will ensure that only one
copy is pulled in.


Re: Newbie PHP question: 'hiding' code on server from View Source wrote:

Quoted text here. Click to load it

That's like trying to run a car on gasoline that's not really in  
the tank.
No can do.

There are two ways to come close, though.

The second-best way is to obfuscate the HTML.  Make it so ugly  
and garbled that noone can reverse-engineer it.

The other is to have like a Javascript routine that dynamically  
loads content.  When they view source, they'll just see the JS  
routine.  The downside is that they can just look at what the JS  
downloaded - but at least it won't be as simple as just view-source.

You can up the obfuscation on that by having the JS appear to  
load several different files, making it difficult for the  
cracker to know which file was displayed.

Quoted text here. Click to load it

Re: Newbie PHP question: 'hiding' code on server from View Source

Wow, this is an active group...I had to dig to find my post!

How I saw php source (or think I saw it). Simplest 'Hell oWorld'
dumb-beginner script, uploaded as test.php and FTP'ed it to the ...I
hesitate to call the directory Root, because that's probably not
correct...the it was the directory/folder where all the
public-accessible stuff is. I believe my host co. has some areas called
public something, an area called www and an area called html.

Two of them 'mirror?' each other...that is, if I put a file in one I
find it in the other the focus here, but struck me as

So, after I saw the 'Hello World' message appear, I did View Source and
Quoted text here. Click to load it

So, regarding the comment, paraphrased 'unless something was configured
incorrectly, I should not see php, just the output'...would placing the
.php file in an accessible but 'wrong for the task' directory
constitute an improper configuration?

I like the obfuscation idea, but since my programming probably already
qualifies as obfuscated, I've been leery of sabotaging my ability to
read it myself the next time I need to modify it. How does one
UN-obfuscate code? Maybe just be organized and keep an unobfuscated
copy, modify it, upload it again, then obfuscate it for safe-keeping?

Thank you.


Re: Newbie PHP question: 'hiding' code on server from View Source contained the following:

Quoted text here. Click to load it

Only if you put it there.

echo "Hello world";

should only output  

Hello world

when you view source.

Why not post a link to your test page?
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs

Site Timeline