Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid

How to hide JAVASCRIPT coding from CGI?

by perlsen (Chaplain)
on Mar 14, 2005 at 15:16 UTC ( #439300=perlquestion: print w/replies, xml ) Need Help??

perlsen has asked for the wisdom of the Perl Monks concerning the following question:

Hi, Monks

I have created one simple CGI form to read the user inputs and stored it in MYSQL database and i retrieve it for some purpose. I have used javascript coding to validate the user inputs from client side. This was tested from client side at that time the javascript coding is easily viewed by the client side. but i want to hide this javascript script coding from client view. if any one knows, please suggest me how to hide this coding?. or is it possible to hide javascript coding from cgi scripting?.

Thanks in advance for your suggestions.

  • Comment on How to hide JAVASCRIPT coding from CGI?

Replies are listed 'Best First'.
Re: How to hide JAVASCRIPT coding from CGI?
by jhourcle (Prior) on Mar 14, 2005 at 15:33 UTC

    JavaScript is run by the client side. You can obfuscate it, but you can never remove it entirely, or the client doesn't have it so that it can run. You can move it to a seperate file, and link it in, if you wish, but it must be accessible to the browser that you expect to run it.

    If you don't want the brower to know your validation rules, you'll need to do it on the server side, which results in multiple round trips, and potentially more complicated overall code, and potentially a reduced user experience. Of course, I don't trust the user to have JavaScript on in the first place, so the more complicated overall code is a moot point, if you're paranoid as well.

      Right, JS validation should be to save a round-trip to the server and back not as a replacement for sanitizing on the server side. Trusting something a user sends you is just asking for trouble.

Re: How to hide JAVASCRIPT coding from CGI?
by brian_d_foy (Abbot) on Mar 14, 2005 at 17:40 UTC

    About the best you can do is put the Javascript stuff in a separate file, which is also handy because now you don't have to maintain the Javascript in multiple places.

    Ultimately, the browser needs to see it to use it, and anything the browser can see, a user can see.

    Never trust the javascript validation to do the work though. Verify everything on the server side.

    brian d foy <>
Re: How to hide JAVASCRIPT coding from CGI?
by jZed (Prior) on Mar 14, 2005 at 17:49 UTC
    1. JavaScript can only "validate" what is on a given HTML page, it does absolutely nothing to validate what is recieved by a CGI script. All anyone has to do is copy the original page, take out the javascript and submit that copy and your CGI will recieve the form with absolutely no validataion.

    2. "Hiding" JavaScript is the same thing as not using JavaScript. If you use JavaScript it is, by definition, visible to the browser - otherwise the browser couldn't execute it.

      It's even easier than that- users can turn off javascript anywhere they want, nullifying your client-side validation altogether.

      If you use Mozilla Firefox and the Web Developer Extension it is INCREDIBLY easy to muck with form values- you can turn POSTs to GETs, make all variables "writable" right in the browser, and generally wreck havoc on brittle form validation. Use javascript for UI/notification icing, server-side for real variable sanitization.

      -Any sufficiently advanced technology is
      indistinguishable from doubletalk.

      My Biz

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://439300]
Approved by Mutant
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (5)
As of 2021-05-05 21:15 GMT
Find Nodes?
    Voting Booth?
    Perl 7 will be out ...

    Results (69 votes). Check out past polls.