I often get questions along the lines of "How can I keep people from changing
the ASP code I write?" Well with components it's easy... just don't
give them the source code. With scripting languages like ASP it's not
quite so simple, but it can be done.
The secret is a little known utility called the Windows Script Encoder from
the folks at Microsoft. Since I'd probably ramble on and get off on a
tangent if I tried to describe it, here's the description straight from
Microsoft's documentation:
Script Encoder is a simple command-line tool that enables script designers to
encode their final script so that Web hosts and Web clients cannot view or
modify their source. Note that this encoding only prevents casual viewing of
your code; it will not prevent the determined hacker from seeing what you've
done and how.
It's really pretty simple to use and comes with help file that explains
everything pretty well so instead of telling you how to use it I'll show
you an example of what it does. Here's a very simple ASP script that
simply outputs a sentence telling the user the time and date.
Before running it through the encoder it looks like this:
<%@ Language="VBScript" %>
<% Option Explicit %>
<html>
<head>
<title>Windows Script Encoding Sample</title>
</head>
<body>
<p>
It is currently
<% Response.Write Time() %>
on
<% Response.Write Date() %>.
</p>
</body>
</html>
After encoding it looks like this:
<%@ Language="VBScript.Encode" %>
<%#@~^EQAAAA==~}wObW P2Xw^rmbY~GwYAAA==^#~@%>
<html>
<head>
<title>Windows Script Encoding Sample</title>
</head>
<body>
<p>
It is currently
<%#@~^FwAAAA==~"+daW /+cMrYPPks+cb,yAcAAA==^#~@%>
on
<%#@~^FwAAAA==~"+daW /+cMrYP9lD+cb,twcAAA==^#~@%>.
</p>
</body>
</html>
Notice how the language has been changed from VBScript to
VBScript.Encode and the ASP script sections of the file
are no longer easily readable. While this doesn't prevent
people from modifying the file, it does keep the casual browser
from making changes to the code... well... meaningful changes at least.
Here are some links where you can find more information
on Windows Script Encoder as well as a link to the download page:
Maybe I tend to stick to pretty safe topics or maybe people
are just grateful enough to be getting free code that they
overlook my occasional snafu... not so this time. I've
gotten tons of negative feedback on this one... well allow
me to retort...
This email typifies what I've been getting as feedback:
Please delete this 'Quick Tip' from you otherwise fine website !!
Microsoft Script Encoder is an absolute waste of time. Someone
who is interested enough to want to steal your code won't
hesitate to spend the 15 or so seconds on Google locating
& downloading a whole variety of "Microsoft Script
Decoders". Within 1 minute you could download, install,
decode and take your code !!!
Maybe I'm slow, but it actually took me about 10 minutes
(though I did read the web page and docs). Nevertheless, the
point is valid. This is not meant to be used as a real form
of security. If someone wants to decode a script encoded this
way they will almost certainly be able to. It's meant as
protection only from the most casual
of observers. [I had used 'very casualest' there, but it just
seemed too wrong... even for me. ;) ]
That being said... I'm not going to remove the tip for a
couple reasons.
The docs say it "only prevents casual viewing" which may not illustrate how easily a script can be decoded, but is essentially correct.
I've worked for a number of clients to whom decoding a script encoded in such a fashion would be akin to them growing wings and flying. I'm talking about people who couldn't find a command prompt on a DOS machine.
Anyway... use it (or not) at your discretion, but please be
aware that the security level it offers is sort of on par
with removing whitespace from your HTML. It doesn't stop
anyone from stealing your code... it just sort of annoys
them while they're doing it.
If you have a tip you would like to submit, please send it to:
webmaster@asp101.com.
