How to encode/decode strings in JavaScript?

Question

I need to pass a variable in an onclick function that I don't want the user to be able to view the page source and just easily read. I want to encode the string and then decode it in the function that I pass the string to.

I've done a Google search for this and can only find information on encoding/decoding URLs to safely pass them, but not strings in general. Does JavaScript have any built in encoding/decoding functions (hopefully that PHP has too, because I will also be using PHP to send the encoded string)?

Answer 1

To get your URL off the javascript try using some ID instead. You will have to translate that ID serverside then to URL. You can use simple array such as:

function getLink($songID) {
    $decodeArray=array(
        1=>"www.mysite.com/myfirstsong.mp3",
        2=>"www.othersite.net/othersong.mp3");
    return $decodeArray[$songID];
}

die(getLink($_GET['songID']));//send back the URL

or you can use database within that translating php code (above)

There you have 2 choices how to do this "answering service" 1) replying to the XMLHttpRequest with the url (from your php script) and pasing the returned value from javascript to flash client-side (as in the code above) or 2) answer only some "OK" status message to Javascript and send the URL directly to the flash player - you would need to be able to code a little in Actionscript to be able to do this.

The problem still is in the fact that you need to inform the client (or Flash) about the actual song location (the readable URL string where it can find that song) so it has to travel back to the client and can be intercepted using a sniffer(packet analyzer) net tool. and in case of the code above one can query that php script directly and read the answer on screen without the need of sniffing.

To prevent that you would need to have the communication directly with Flash either through https (not sure whether it would work) or not send the url at all and instead stream the content of that song directly to your Flash application using socket connection between the Flash player clientside and your (home-made) php socket server.

Answer 2

What you are trying to implement is DRM, which is not feasible to implement using browsers and JavaScript. You can of course always make it harder for a user to get to the sound file, but beware that you can easily scare away your users.

What you can do is to generate a large random (say 8 to 16 bytes or so) on the server side, or hash a counter. Then you make the MP3 available only once for download using the given random value. Next time any user wants to download the file, he gets a new random. The randoms are sufficiently large for a user never to guess the next file. As said, you cannot disallow the first download of course, so anybody smart enough to play with the the browsers cache will easily break the scheme.

You could also embed a flash player that receives and decodes the data stream so you can send the data in a form that is not easily decodable by non-experts. You could mix this with the randomized URL method.

You can URL-encode the random value using hexadecimals, or by using base64 and then an URL-encode function.

Answer 3

What you are trying to do is not feasible. No matter what decryption logic you use, you will need to ship it over to the consumer's computer in JavaScript, which means that any sufficiently smart script-kiddie with Firebug will be able to easily decode all of your secrets. Moreover, they will be able to modify the data on the client side, in their browser console, and trick your server.

I encourage you to keep these kinds of secrets on the server side, perhaps in session state, or in something that's associated with the currently logged in user. Do not send it to the client.