Hiding Database info from view source

EIREHotspur

I want a php page to be able to read values for a form to connect to a server but as this carrys username and password as well as another few sensitive fields....I don't want anyone lifting the code and being able to access my forms.

Anyone have a tutorial as to how best to achieve this?

I suppose it involves hashing password type fields in phpmyadmin or encrypting/decrypting on the page?

Just cannot google the right terms to get what I want.

thanks in advance.

Graham

Are you talking about the username and password used to connect to the database?

bpmurray

The PHP code isn't visible in the browser - all it sends is the markup.

EIREHotspur

bpmurray wrote: »

The PHP code isn't visible in the browser - all it sends is the markup.

Thanks for the answer bp and sorry....I made a bags of describing it.

I am building a php page with a form that draws values from a database.
The values are sensitive information and I need the markup itself to not be visable.

Reading about Data masking but that is out of the equation pricewise.
I am not that up on PHP to write functions etc

colm_c

EIREHotspur wrote: »

Thanks for the answer bp and sorry....I made a bags of describing it.

I am building a php page with a form that draws values from a database.
The values are sensitive information and I need the markup itself to not be visable.

Reading about Data masking but that is out of the equation pricewise.
I am not that up on PHP to write functions etc

Still don't understand what you want to do, if you want to render it so it's readable, but not copyable and/or people can't view source then I'm afraid you're out of luck as that's the nature of the internet/websites/php.

EIREHotspur wrote: »

I am not that up on PHP to write functions etc

This is a bit scary if you're dealing with sensitive data :eek:

Giblet

Do you mean you want a value to be ****** ?
You render what you want, if you don't want sensitive data to be found, don't render it in the first place!

EIREHotspur

Guys it is a Push Notification Page.
It sits behind a password protected login but it needs username, etc to connect to the server to send them.

I have not put up anything yet until I find a solution.....and there must be one because another guy has a service making $$$ and his source code cannot be seen....

Graham

EIREHotspur wrote: »

Guys it is a Push Notification Page.
It sits behind a password protected login but it needs username, etc to connect to the server to send them.

I have not put up anything yet until I find a solution.....and there must be one because another guy has a service making $$$ and his source code cannot be seen....

It sounds like you're confusing the php code with the html that's sent to the browser.

Try this in a file called something like test.php then view the source in a browser.

<!DOCTYPE html>
<html>
<body>

<?php
$username = "TopSecret";
$password = "NoPeeking";
$kangeroo = "skippy";
echo $kangeroo;
?>

</body>
</html>

EIREHotspur

Graham...thanks for that....That works and your right.....I am used to Dreamweaver and extensions....

How would I put this in a form which is how this works.

<input type="hidden" name="username" value="jim" />

I would want "jim" to be hidden obviously??

Graham

EIREHotspur wrote: »

Graham...thanks for that....That works and your right.....I am used to Dreamweaver and extensions....

How would I put this in a form which is how this works.

<input type="hidden" name="username" value="jim" />

I would want "jim" to be hidden obviously??

If you're submitting to a 3rd party, why would you want anything in a form?

bpmurray

If you're trying to associate data with a webpage yet not display it on the page, you can store it in the session. In your PHP code, you can use session_start to create a session, and session_destroy to delete it once the user has logged out. Then you can store stuff in session variables, and they're never sent to the web page but are available to your PHP code. Have a look at this for a simple explanation.

EIREHotspur

Thank guys

Graham...a Push Notification is a form.....like an email that targets an App based on appid, username and password for an account etc

Thanks for that BP...I will be studying that example carefully....

Graham

EIREHotspur wrote: »

Thank guys

Graham...a Push Notification is a form.....like an email that targets an App based on appid, username and password for an account etc

Thanks for that BP...I will be studying that example carefully....

This form you're talking about, would I be right in guessing that it's on a server/site belonging to someone else?

You're trying to write a script that will submit to this remote form to generate a push notification?

EIREHotspur

The form I send is on a page on my server.....the notification gets sent from his server....yes......so hiding it is tricky as it should be a server side script right?

Graham

EIREHotspur wrote: »

The form I send is on a page on my server.....the notification gets sent from his server....yes......so hiding it is tricky as it should be a server side script right?

The form on your side should probably just contain the message fields (e.g. recipient and message) everything else (username/password) should be added by php after your form is submitted.

How are you transferring the message from your server to his server?

EIREHotspur

You fill in the message like you would any form on the page and click submit....that passes to his server which passes it on to the App...confirmation is done his side....

Graham

You should have the form submit the message to your server then use php to send the necessary fields to his server.

EIREHotspur

Graham wrote: »

You should have the form submit the message to your server then use php to send the necessary fields to his server.

Sessions is prob the only way to do it....

I started a new Session on page....on the same page I gave it the appid and then tried to use it in the form on the same page...

value="<?php echo $_SESSION["appid"] ;?>" />
shows the appid in view source and works


value="<?php echo $_SESSION["appid"] ;?>" />
does not show " and doesn't work....

Graham

If you're trying to populate a form with the credentials for the remote site, stop it before I send someone around with a bat.

Your form should only have the parts that change between each message (e.g. message and recipient), that form should submit to YOUR server. Your server then adds in the credentials (hidden from prying eyes) before it submits everything to the remote server.

EIREHotspur

We will have to get a few Bats and head over to America then to the people who supply the service.
You can view the details on their Push Notification Page too.....populated just like mine.
Granted it is behind each users control panel but it strikes me as suicidal to do it this way....I cannot afford to risk these details getting compromised down the line.

MY FORM sits on my server
I hit submit and it reads the details and sends that info to Their Server which pushs it out to the App.

Unless the Form sees each bit of Data it won't work...

Push Notifications are the HUGE selling point of Apps....I have to have a solution...

I was told to use a JavaScript solution
http://scriptasylum.com/tutorials/javascript_encoder.html

But this isn't javascript...

Graham

What are you pushing notifications to (iPhones, Android, Web)?

What push notification service are you using?

EIREHotspur

To both Android and iPhone

The Publishers own one.

Graham

Google this:

php http post to submit to remote form

Then try what I suggested earlier.

28064212

You're not explaining it very well, but is the basic process like this?

1. User visits your site, fills in some information and submits
2. Your site contacts the 3rd party notification service with the information, using a pre-defined username and password
3. The 3rd party notification service pushes out the notifcation

If so, you never need to send the username/password to the user. The user submits their information to your server. Your server adds the username/password, and then sends the information on to the 3rd party.

If that's not the process, then explain it exactly, from start to finish

EIREHotspur

Thanks for that Graham....I wonder is this link from googling that close to what you mean??

http://www.html-form-guide.com/php-form/php-form-submit.html


28064212....that's it exactly yes....only of course they login to my site...through some more testing.....it doesn't even need username and password of the account to send the Notfication....but from what I see unless the form sees publisherid and appid it won't submit the form and sends you to a page on their server saying restricted...

The Company helpline told me to try and build a backend using their APIs....had a look at their PDF of that.......oh....JASUS......

28064212

EIREHotspur wrote: »

28064212....that's it exactly yes....but from what I see unless the form sees publisherid and appid it won't submit the form and sends you to a page on their server saying restricted...

So what you're doing at the moment is using the form to submit directly to the 3rd party service?

That's not what you should be doing. The form should submit to your site, another php page where you take in the submitted values from the user, add the publisherid and appid, and your site makes the call to the 3rd party service

Graham

EIREHotspur wrote: »

Thanks for that Graham....I wonder is this link from googling that close to what you mean??

http://www.html-form-guide.com/php-form/php-form-submit.html


The Company helpline told me to try and build a backend using their APIs....had a look at their PDF of that.......oh....JASUS......

That's exactly the kind of thing I was talking about.

I wouldn't right off the API either, if it's a JSON interface then it's not massively more complicated the what you're reading about with cURL.

EIREHotspur

Thanks lads...I have spent a lot of money over the years on extensions etc to get me where I want to go because detailed coding makes my head hurt....

I have not found out that this guys server runs asp because the confirmation page after the notification is a .ashx.
I have never touched ASP...

I don't know at this point.....another frustrating day....


Can I have a tutorial, example or google term for that 28064212 ??

Graham

EIREHotspur wrote: »

Thanks lads...I have spent a lot of money over the years on extensions etc to get me where I want to go because detailed coding makes my head hurt....

I have not found out that this guys server runs asp because the confirmation page after the notification is a .ashx.
I have never touched ASP...

I don't know at this point.....another frustrating day....


Can I have a tutorial, example or google term for that 28064212 ??

It shouldn't make any difference what the server is running on the other side if all you're doing is submitting a form. It looks to me like 28064212s suggestion is the same as mine.

1) Create the message form on your server (e.g. message and recipient fields), this form should POST to 2)
hint -> http://www.w3schools.com/php/php_forms.asp

2) Create a new php script on your server to accept your form submission, catch each form field in its own variable.
hint -> http://www.w3schools.com/php/php_form_validation.asp

3) On script from 2) echo the variables so you can see if they are being captured properly

4) On script from 2) Add two new variables to hold the credentials for the remote server (I assume username and password).

5) Submit all the variables to the remote server
hint -> http://www.html-form-guide.com/php-f...rm-submit.html that you found earlier.

EIREHotspur

Thanks for that Graham......lots of stripping out code and no idea where to start with the variables add on.

Like you say....I suppose it is a case of a php page to process the form and then add variables to it to them auto send it on to the PN Server

http://webcheatsheet.com/php/form_processing.php

Graham

This is untested but it should give you a starting point:

test.php

<html>
<head>
    <title>Blahhhh</title>
</head>
<body>
<form name="myform" action="send.php" method="POST">
    Recipient: <input type="text" name="recipient" /><br />
    <textarea name="message" rows="10" cols="60">Enter your message here</textarea><br />
    <input type="submit" />
</form>
</body>
</head>
</html>

send.php

<?php
    $recipient = $_POST['Name'];
    $message = $_POST['message'];
    $username = "BOB"; // Don't put real credentials here until you have removed the echo statements
    $password = "NOPEEKING"; // Don't put real credentials here until you have removed the echo statements

// Remove the echo lines when you're happy each variable is getting the value it should
    echo $recipient."<br />";
    echo $message."<br />";
    echo $username."<br />";
    echo $password."<br />";

// Below this point you build the cURL submission to the remote server

?>