Pass variable from PHP to Javascript without showing in HTML

Question

I need to send a big variable without showing it in the resulting HTML page because: - I could give away sensitive data (just checking the page source would do it) - being a big amout of data, it slows down the page loading quite a bit.

Using "echo" is out of the question of course, I have searched lots of different methods, but haven't found a suitable one.

Even refreshing the page, using Ajax or Json, calling a script from the outside would be fine, but I haven't found a way of doing what I need so far. Can somebody help me? Thanks. Roberto

If you pass any data "from PHP to Javascript" it will be visible anyway, I think... — nanocv, May 08 '16 at 19:24
Javascript is always visible in client side. No way you can do that. — Sandeep, May 08 '16 at 19:26
What do you want to do with that sensitive data? Why not to keep it in server side? Could you describe your problem a bit more? — nanocv, May 08 '16 at 19:26
ok, then, if you can use ajax/ json/ jsonp: google "jquery ajax tutorial". you'll find loads of examples. if you don't want to use jquery it's more long winded to do an ajax call but still pretty straight forward. — dewd, May 08 '16 at 19:27
@nanocv true, but encapsulating it can disguise its presence somewhat. — dewd, May 08 '16 at 19:28
You can hide whatever you want from the html, but if you need a value from php on your page, retrieved via jquery get or post, or via any other method, users will be able to read it. — Pedro Lobito, May 08 '16 at 19:32
If the PHP script is a separate page, and the page that the viewers are viewing is .html, you can send the data with $.ajax or $.get, and set up a success handler that stores the data sent back in a variable. In the PHP, echo the result at the end of the script. Make sure though, the the PHP script is on a different page, and isn't inline with the HTML. Does this make sense? — Tom Anderson, May 08 '16 at 20:12
Hi everybody, thanks for your help, I just saw the messages now, and I have found my answer. — Roberto Delpiano, May 14 '16 at 12:49
Hi everybody, thanks for your help, I just saw the messages now, and I have found my answer. As somebody has been pointing out, when you pass a variable to JS, you will see it in HTML. I got at this conclusion too, even though I am not good in JS, and I sort of hate it. But I found an excellent solution in this page http://www.bewebdeveloper.com/tutorial-about-autocomplete-using-php-mysql-and-jquery that has solved the problem. — Roberto Delpiano, May 14 '16 at 12:57
Now, why I wanted to do the PHP-JS variable pass: -work on a local file, so no need of several server accesses -no need of downloading 95k of jquery script. Yes, I am cheap, I come form the old school, where a byte is still a byte. So I had avoided since the beginning any "several server accesses" exactly for that reason, but I decided to go that way when I saw that I was fighting a losing battle. Thanks to everybody for your answers and help, I really appreciated it, and it made me understand that, in the end, I went the right way, although it was sort of costly in terms of stress ... — Roberto Delpiano, May 14 '16 at 12:58

Pedro Lobito · Answer 1 · 2020-09-05T00:09:39.260

You can hide whatever you want from the html, but if you need to pass a value between php and JS, retrieved either via jQuery, get, post or any other method, the end user will be able to read it.

NOTE:

You guys can down-vote as much as you want, but I'll keep my answer until someone explain how to "Pass variable from PHP to Javascript", without exposing the data to the end user.

EDIT +4 Years later (2020):

A possible solution is to encrypt the code your want to hide from the end user and decrypt it when the user posts it back, i.e.:

<?php

function encdec($t, $s){
    
    $secret_key = 'secret_key';
    $secret_iv = 'secret_iv';
    
    $output = false;
    $encrypt_method = "AES-256-CBC";
    $key = hash( 'sha256', $secret_key );
    $iv = substr( hash( 'sha256', $secret_iv ), 0, 16 );
    
    if( $t == 'e' ) {
        $output = base64_encode( openssl_encrypt( $s, $encrypt_method, $key, 0, $iv ) );
    }
    else if( $t == 'd' ){
        $output = openssl_decrypt( base64_decode( $s ), $encrypt_method, $key, 0, $iv );
    }
    
    return $output;
}


    $my_secret =  encdec("e", "internal_XPto123");
    echo $my_secret;

    # Then, when the user posts it back, via form or any other method, you decrypt it:

    $my_secret = encdec("d", $_REQUEST['some_arg']);
    if (preg_match('/^internal_[a-z\d]{7}$/i', $my_secret)) {
       # string structure matches, continue...
    }

The above can be useful to, let's say, hide a subscription id from the end user which, if exposed, could reveal information about your internal structure, but that you need to use as a form of identification on your code.

I've used this to populate a custom attribute of button that was later used as argument of a jquery ajax request when the button was clicked.

A rule of thumb is to never trust the user input, but this way, it will be very difficult to try any kind of injection without knowing the real values, and if you add recaptcha3 to the mix, it's a no go for anyone trying to mess with your system.

Simple DEMO

For what its worth I think your answer is right. However, it depends on the definition of user. Whilst you or I might be able to uncover encapsulated data, more than 99% of the population would not, and if its non-sensitive information, say quiz answer info, then encapsulation would do what the OP requires. — dewd, May 08 '16 at 20:13
+1, of course it's correct, all user has to do is open a console to see the entire response of the request. — I wrestled a bear once., May 08 '16 at 22:48
@PedroLobito I would rather put that big notice in a comment here (and in bold still totally fits). I am quite sure there will be enough people voting that comment to stick it high enough that it wouldn't need to be in the answer anymore :) — β.εηοιτ.βε, May 09 '16 at 21:10

score 0 · Answer 2 · answered May 08 '16 at 19:32

0

Javascript will be visible for the user. You can't get around it.
Php runs on the server and is hidden from the user.
Javascript on the other hand is beeing run by the users "machine" thus it's visible.

answered May 08 '16 at 19:32

Andreas

23,304
5
28
61

2

I did'nt downvote but clearly this answer is well suited as a comment – Pushkar May 08 '16 at 19:48
@Pushkar I do agree with you to some degree, but sometimes the answer to a question is that it is not possible. – Andreas May 08 '16 at 20:04
1

that's why I refrain from answering such questions – Pushkar May 08 '16 at 20:05
@Pushkar that should not be a reason not to answer a question in my opinion – Andreas May 08 '16 at 20:22
Thanks a lot for your comments, I explained what were the reason, and how how solved it in the end in a commentary one screen higher. Although I am aware of these facts, server-side and user-side, I really hoped that when an information is in the user memory, without the need os showing it in Html, I was able to programmatically use it, but it was not the case. Wind mills, we have to try to fight them sometimes, or life would fresult boring in the end. TX! – Roberto Delpiano May 14 '16 at 13:02

Pass variable from PHP to Javascript without showing in HTML

2 Answers2