--- Larry Kavounas <[EMAIL PROTECTED]> wrote: > Carl- > > Thanks for your patience! The fact that I did not mention it goes to show > you what a newbie I am... > > I am writing a web application, where the customers log in with a user name > and password. The customers are regular people doing their regular job; no > military; no banking. I am only trying to protect the customers' legal > privacy. I do not aspire to beat CIA or NSA! > > I would like to prevent (if possible) hackers from viewing the source, > finding the INPUT field names, and writing a script that honors me with a > few hundred thousand gratuitous login posts per minute. > > I could store their IP address in advance... with a random string... and > write the string in a picture with some weird colors and fancy fonts... and > show them the picture... and use a turing test so as to prove their eyeballs > are human... and and start to block out their IP addresses... but why should > I go into all this trouble? It would be so much simpler if they just did not > know the variables for user name and password! I want PHP to ECHO a string > so that the browser works normally, and the user experiences a normal web > page. But when they view the source, it is useless to them. > > Any other ideas that solve this problem are appreciated! > > Thanks again, > > Larry Kavounas
Although anything can be defeated, you could make your form in Flash and have it send the data to PHP. If you were trying to protect the PHP code from the owners of the server, you could use something like Zend encoder or an equivalent. In the end, the code has to be understood by the browser or its plugins. You have to ask yourself why it matters whether the "View Source" users see the form variable names. If it is a concern, don't use the same names in your program. Use nonsensical short variables like A1, A2, A3. James -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-newbie
