I created a PHP page that is allowed only for one person, That's OK but when the non allowed user write in address bar view-source:tstwebsite.com/test/page.php it shows the user the source of the page can I block the source code from the user? this is my code that allow this page only for one user.
$aiwab = mysql_query("SELECT * FROM `table`");
while($aiwa = mysql_fetch_array($aiwab)){
$alo = $aiwa['allowed'];
if ($alo == 2 ){
}else{
echo "<script>javascript:history.go(-1)</script>";
}
}
So how Can I block the user from viewing the source code?
If you just want to quickly change this from client-side authentication to server-side, then you could make the following change:
if ($alo == 2) {
}
else {
// Redirect them by sending a HTTP Location header
header("Location: www.yourdomain.com/path/to/another/page");
}
Note that the above solution will only work if header() is called before any output is sent to the browser (HTTP headers have to be sent before the body of the message begins). This functions very similarly to your current solution, with the difference that the redirect is caused by code on the server rather than in the browser. view-source lets someone get around your authentication as it allows them to load the page in their browser, without running the client side code.
This is just a quick fix that should help illustrate the difference between client side and server side authentication. If this is for anything beyond just messing about and learning a little code, then you should really be learning more about security. Also note that the mysql functions you're using are currently deprecated and you should instead be using mysqli, or pdo
You will also want to read up on the uses of client-side versus server-side code, just to get a grasp of what to use for what tasks and why.
Using javascript to "block" a user is, frankly, stupid. javascript can be disabled/ignored/bypassed, exactly as you've seen with your view-source "hack". "Security" can never be established if you're relying on the CLIENT to cooperate.
Use proper server-side authentication, e.g. even HTTP basic authentication, to protect the script.