convert PHP array to JS array (without writing contents)

Question

I have a PHP array with URL's that I would like to keep hidden (or at least more difficult to copy) I need to convert this array to a JS array. Is it possible without writing the items in JS?

So NOT like in following example where the URL's can be found in the source...

<?php
    $arr = array("http://foo.com","http://bar.com","http://baz.com"); 
?>

<script>
    var newArr = new Array("<?php echo implode(',' ,$arr); ?>");
</script>

Answer 1

Directly it is not possible. JavaScript code is interpreted, so no chance to hide it.

Another way is to make make an ajax call to file which will echo the items.

If you wish more security make 2 GET calls one to get some info, process it with the js and use it at the second call which will get your array. Something like the "obscurity" or "time" method. In theory this will add some protection.

Or as nobody suggested you can use again the technique with the 2 GETs, and encode and decode dinamically the data in the array. This will add more security.

Answer 2

If you want to make the urls unreadable you can encode each character to \xnn escape sequence:

<?php
    $arr = array( "http://foo.com","http://bar.com","http://baz.com" ); 
    $encodedArr = array();
    foreach( $arr as $url ) {
        $encodedUrl = '';
        for( $i = 0; $i < strlen( $url ); ++$i ) {
            $encodedUrl .= '\\x'.str_pad( 
                  sprintf( '%x', ord( $url[$i] ) ),
                  2, STR_PAD_LEFT );
        }
        $encodedArr[] = '"'.$encodedUrl.'"';
    }
?>
<script type="text/javascript">
    var newArr = [ <?php echo implode(',' ,$encodedArr); ?> ];
    alert( newArr[0] );
</script>

the written javascript will look like this:

var newArr = [ "\x68\x74\x74\x70\x3a\x2f\x2f\x66\x6f\x6f\x2e\x63\x6f\x6d","\x68\x74\x74\x70\x3a\x2f\x2f\x62\x61\x72\x2e\x63\x6f\x6d","\x68\x74\x74\x70\x3a\x2f\x2f\x62\x61\x7a\x2e\x63\x6f\x6d" ];
alert( newArr[0] );

but will alert http://foo.com

Answer 3

If you want one of your system's component not to touch some piece of data, don't give it the data.

However, if the browser cannot have the data, it cannot use it, either. There's a dilemma...

Maybe you want to insert an extra indirection: have your PHP provide a series of 'command-url's' to the javascript GUI, and have it trigger these commands instead of letting it know your sensitive data.

Answer 4

Javascript could read the data via an AJAX request, it wouldn't show up in the page source but you'd be able to see it with any half-decent web developer toolset.

Answer 5

I don't think it is possible, but depending on what you are trying to do, you can remove the script element from the DOM when you are done with it, so it won't appear in your source code to the user. This kind of technique is quite useful for example when building a javascript block that other people would include on their site. The javascript code can ran, and when it's finished remove itself from the DOM so other people can't copy your code.

Answer 6

Use JSON.

In PHP, that'd be:

<?php
$arr    = array('http://[a]', 'http://[b]', 'http://[c]');

echo json_encode($arr);

in JS:

<script type="text/javascript">
arr[0]; // http://[a]

arr.each(function(k,v){
    v; // http://[a]

    // loops trough the remaining values
});

Answer 7

It's not possible to do it without writing the items in JS. However if you are using those variable for validation, you could transfer that validation on the server and use AJAX to call that validation.

Answer 8

Nope. This is not possible without writing the items in JS.