ASP 101 - Active Server Pages 101 - Web05
The Place ASP Developers Go!

Please visit our partners


Windows Technology Windows Technology
15 Seconds
4GuysFromRolla.com
ASP 101
ASP Wire
VB Forums
VB Wire
WinDrivers.com
internet.commerce internet.commerce
Partners & Affiliates














ASP 101 is an
internet.com site
ASP 101 is an internet.com site
IT
Developer
Internet News
Small Business
Personal Technology

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

ASP 101 News Flash ASP 101 News Flash



 Top ASP 101 Stories Top ASP 101 Stories
Getting Scripts to Run on a Schedule
The Top 10 ASP Links @ Microsoft.com
What is Adovbs.inc and Why Do I Need It?

QUICK TIP:
How to Empty an Array
Show All Tips >>
ASP 101 RSS Feed ASP 101 Updates


Quick Tips


Hiding Your ASP Code

I often get questions along the lines of "How can I keep people from changing the ASP code I write?" Well with components it's easy... just don't give them the source code. With scripting languages like ASP it's not quite so simple, but it can be done.

The secret is a little known utility called the Windows Script Encoder from the folks at Microsoft. Since I'd probably ramble on and get off on a tangent if I tried to describe it, here's the description straight from Microsoft's documentation:

Script Encoder is a simple command-line tool that enables script designers to encode their final script so that Web hosts and Web clients cannot view or modify their source. Note that this encoding only prevents casual viewing of your code; it will not prevent the determined hacker from seeing what you've done and how.

It's really pretty simple to use and comes with help file that explains everything pretty well so instead of telling you how to use it I'll show you an example of what it does. Here's a very simple ASP script that simply outputs a sentence telling the user the time and date. Before running it through the encoder it looks like this:

<%@ Language="VBScript" %>
<% Option Explicit %>
<html>
<head>
  <title>Windows Script Encoding Sample</title>
</head>
<body>
<p>
It is currently
<% Response.Write Time() %>
on
<% Response.Write Date() %>.
</p>
</body>
</html>

After encoding it looks like this:

<%@ Language="VBScript.Encode" %>
<%#@~^EQAAAA==~}wObW	P2Xw^rmbY~GwYAAA==^#~@%>
<html>
<head>
  <title>Windows Script Encoding Sample</title>
</head>
<body>
<p>
It is currently
<%#@~^FwAAAA==~"+daW	/+cMrYPPks+cb,yAcAAA==^#~@%>
on
<%#@~^FwAAAA==~"+daW	/+cMrYP9lD+cb,twcAAA==^#~@%>.
</p>
</body>
</html>

Notice how the language has been changed from VBScript to VBScript.Encode and the ASP script sections of the file are no longer easily readable. While this doesn't prevent people from modifying the file, it does keep the casual browser from making changes to the code... well... meaningful changes at least.

Here are some links where you can find more information on Windows Script Encoder as well as a link to the download page:

There are also a few known problems / bugs:

Please Note: Scripts Are Easily Decoded

Maybe I tend to stick to pretty safe topics or maybe people are just grateful enough to be getting free code that they overlook my occasional snafu... not so this time. I've gotten tons of negative feedback on this one... well allow me to retort...

This email typifies what I've been getting as feedback:

Please delete this 'Quick Tip' from you otherwise fine website !!

Microsoft Script Encoder is an absolute waste of time. Someone who is interested enough to want to steal your code won't hesitate to spend the 15 or so seconds on Google locating & downloading a whole variety of "Microsoft Script Decoders". Within 1 minute you could download, install, decode and take your code !!!

Maybe I'm slow, but it actually took me about 10 minutes (though I did read the web page and docs). Nevertheless, the point is valid. This is not meant to be used as a real form of security. If someone wants to decode a script encoded this way they will almost certainly be able to. It's meant as protection only from the most casual of observers. [I had used 'very casualest' there, but it just seemed too wrong... even for me.  ;)  ]

That being said... I'm not going to remove the tip for a couple reasons.

  1. The docs say it "only prevents casual viewing" which may not illustrate how easily a script can be decoded, but is essentially correct.
  2. I've worked for a number of clients to whom decoding a script encoded in such a fashion would be akin to them growing wings and flying. I'm talking about people who couldn't find a command prompt on a DOS machine.

Anyway... use it (or not) at your discretion, but please be aware that the security level it offers is sort of on par with removing whitespace from your HTML. It doesn't stop anyone from stealing your code... it just sort of annoys them while they're doing it.


Previous      Show All Tips      Next

If you have a tip you would like to submit, please send it to: webmaster@asp101.com.


Home |  News |  Samples |  Articles |  Lessons |  Resources |  Forum |  Links |  Search |  Feedback

Internet.com
The Network for Technology Professionals

Search:

About Internet.com

Legal Notices, Licensing, Permissions, Privacy Policy.
Advertise | Newsletters | E-mail Offers