0

I have to send an XML request to recover data from a remote server and parse it using PHP. That much, I've managed to do... sort of. The trouble is, the XML I get back from the remote server looks something like this:

<info user="user" password="password" session="session">
    <data value="8" />
    <data date="..." />

If someone were to look at the source code on my website, they would see all of the above code including the sensitive username and password data included in the first tag, is there any way I can hide this?

Here is the code I use to recover and parse the data:

<?php 

$url = 'http://www.whereigetmyxml.com';

$ch = curl_init();     

curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);  

curl_setopt($ch, CURLOPT_URL, $url);  

$result = curl_exec($ch);  

curl_close($ch);  

echo $result; 

$xml = simplexml_load_file($url);

$myData = $xml->data[1]['date'];
echo $myData;

?>

Thanks!

JasonMArcher
  • 14,195
  • 22
  • 56
  • 52
Jane
  • 947
  • 3
  • 12
  • 25
  • 1
    why do you have to write the XML into the sourcecode of your page? Why cant you just request the data, process it and then output only what is needed? Please clarify your scenario. – Gordon Jun 14 '11 at 08:44
  • That's a good question... I'm probably doing it wrong then. I'm saving the values I want as variables in an include file using simplexml and then calling the include from the main file and echoing the variables I saved... but in the source code, I get all of the xml code from the request. Is that not how I should be doing it? – Jane Jun 14 '11 at 08:51
  • 1
    @Jane, well, if you dont want to have the XML echo'ed, then I'd say yes, that's not what you should be doing. Can you show some of your code and explain what you are using it for or how you expect the results to be? – Gordon Jun 14 '11 at 08:57
  • OK I've edited the question to include some of the code I use to output the info... is there any other relatively simple way to display the data without echoing it (and thus revealing the entire XML sequence)? Thanks! – Jane Jun 14 '11 at 09:03
  • 1
    @Jane the snippet you show should not output anything but the date attribute of the second data element. See http://codepad.org/N616ShCG - there must be something else happening in your script that outputs the entire XML. – Gordon Jun 14 '11 at 09:10
  • Thanks, Gordon, I've included the full php include I use to parse the data. I echo $myData in the final HTML page... – Jane Jun 14 '11 at 09:24
  • @Jane obviously, your `echo $result;` outputs the XML. Unless your hoster has disabled [`allow_url_fopen`](http://de2.php.net/manual/en/filesystem.configuration.php#ini.allow-url-fopen) in php.ini, you do not need to use cURL to fetch the XML. See the answer by [fidr](http://stackoverflow.com/questions/6341104/hiding-xml-code-in-view-source-code/6341658#6341658) below. – Gordon Jun 14 '11 at 09:40
  • How you are sending the data? As far as I understood, you are sending and parsing at server-side (php), so you don't need to output it. Or you are requesting it in the client-side code (javascript)? Please provide some code, so we can see what you are doing wrong. Kind regards, – Maxim Krizhanovsky Jun 14 '11 at 08:46

3 Answers3

2

It looks like you're doing two requests:

This loads the xml and outputs all of it:

$ch = curl_init();     
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);  
curl_setopt($ch, CURLOPT_URL, $url);  
$result = curl_exec($ch);  
curl_close($ch);  
echo $result;

This loads it again and outputs only the selected part:

$xml = simplexml_load_file($url);
$myData = $xml->data[1]['date'];
echo $myData;

The first part retrieves all of the XML and echo's it. This is not necessary and can be removed.

fidr
  • 178
  • 1
  • 4
  • nice to help the user but this is not the answer to the question asked this should be a comment not an answer – Barkermn01 Jun 14 '11 at 10:35
  • 2
    seems like me this is the solution to his problem "they would see all of the above code...is there any way I can hide this?". It's the first part that echo's all of the xml – fidr Jun 14 '11 at 10:42
1

If someone does 'View Source' on a browser, they don't see the PHP code, only the HTML that the PHP generates. It shouldn't really be a problem.

'View Source' refers to the HTML source, not the source code that created it. It's actually quite badly named these days, 'source' is too ambiguous; it should probably be called 'View Markup' or something like that, the browser never even gets to see the real 'source'.

Flynn1179
  • 11,925
  • 6
  • 38
  • 74
0

If you need to send data to the client (browser), the client can always see it.

If you're sending passwords back to the client, and this is a security issue (sure sounds like it), you must change how your application works, not figure out a way to hide it from the user (which is theoretically impossible).

Evert
  • 93,428
  • 18
  • 118
  • 189