I want to get an html page to be able to get a string of anything, for example 'text', without the user of the website being able to see the source of where I got it from. I have a working method right now, but the user can see the source, which is not what I want. Anyone know any ways?
I have my code below:
challenge.php:
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/css/bootstrap.min.css" integrity="sha384-MCw98/SFnGE8fJT3GXwEOngsV7Zt27NXFoaoApmYm81iuXoPkFOJwJ8ERdknLPMO"
crossorigin="anonymous">
</head>
<body>
<h1 class="result">Result: </h1>
<script src="http://code.jquery.com/jquery-3.3.1.min.js" integrity="sha256-FgpCb/KJQlLNfOu91ta32o/NMZxltwRo8QtmkMRdAu8=" crossorigin="anonymous"></script>
<script>
var req = new XMLHttpRequest();
req.onload = function() {
$(".result").html(this.responseText);
}
req.open("get", "get-data.php", true);
req.send();
</script>
</body>
</html>
get-data.php:
<?php
echo json_encode("text");
?>
The only problem for this code is when the user does ctrl + u, they can see "get-data.php. Then they can simply go to that that page and see the text.
There is no way to do what you wanted. No matter what you do, unless the code is purely php, the user will be able to see the value. The closest you can get is to set the value in javascript and obfuscate it, which will make it much harder to read.
When you obfuscate var value = "text"; a few times, it ends up looking like var _0x567b=["\x74\x65\x78\x74"];var _0xc6ac=[_0x567b[0]];var _0xc282=[_0xc6ac[0]];var _0x68bd=[_0xc282[0]];var _0xab55=[_0x68bd[0]];var _0x396f=[_0xab55[0]];var _0x12a8=[_0x396f[0]];var value=_0x12a8[0]
That alone is hard to read, but won't take longer than a few minutes for someone who knows what they're doing. So what I suggest is adding a few random variables (I added 500 extra variables) and obfuscate all of that a few times. Then it becomes much harder to read.
var value = "text";
var value = "text";
var value = "text";
var value = "text";
var value = "text";
ends up being var _0x398a=["\x74\x65\x78\x74"];var _0xefdc=[_0x398a[0]];var _0x6313=[_0xefdc[0]];var _0xa20b=[_0x6313[0]];var _0x2e32=[_0xa20b[0]];var _0xfe7b=[_0x2e32[0]];var value=_0xfe7b[0];var value=_0xfe7b[0];var value=_0xfe7b[0];var value=_0xfe7b[0];var value=_0xfe7b[0] when you obfuscate it a few times.
Although this may be a strong solution, there is no definite way to make the value 100% unreadable by the user. You will always only be able to make it harder and harder for the user to read the code.
The obfuscating tool I used is at this link: https://javascriptobfuscator.com/Javascript-Obfuscator.aspx
Do you need the content of $data to change based on user behavior? Then you should use AJAX. If you just need to display some static content, embed the php in the page and use echo.
If you want to prevent users from directly reading get-data.php then you need to modify the .htaccess file found on your server.