Is there any way to hide javascript functions from end user?

I want to user jquery ajax calls, for example;

function addnewteacher(){
      $.ajax({
          type: "POST",
          url: "/actions/dboss/newteach开发者_StackOverflow中文版er.php",
          data: "uname=" + $("#newteacheruname").val() + "&upass=" + $("#newteacherupass").val() + "&name=" + document.getElementById("newteachername").value + "&surname=" + document.getElementById("newteachersurname").value + "&mobile=" + document.getElementById("newteachermobile").value + "&email=" + document.getElementById("newteacheremail").value,
          success: function(html){
              $("#response").html(html);
              $("#response").dialog("open");
          }
      });
  }

As you can see, i have to give away the data part to end user. But i want to encrypt it with a hidden function then decrypt it on server so probably no one can send and malicious code to server just because that code wont make any sense after decryption if not properly encrypted. But i have to hide the function from user or make the function work only for me?

Thanks for any help/idea

---

You cannot hide JavaScript code. It gets downloaded to the client and executed there. You can obfuscate it, push it way deep inside, whatever you want, but a determined user can still find it. Your security really needs to be on the server, where you have complete control, not on the client, where you have no control at all.

Make sure calls to /actions/dboss/newteacher.php are authorized and verify they are coming from valid sources on the server. Security through obscurity is not security.

---

No. You can obfuscate them by minifying the code and that sort of thing, but you should never ever assume that your javascript is unreadable.

You need to validate and sanitize any user-submitted data on the server end.

---

No, sorry that's not possible. Everything you put in javascript will eventually be visible to the user. No matter how hard you try to minify/obfuscate the code, suffice to install FireBug and the password will popout at user eyes like a balloon.

---

Everything JavaScript does can be done by a user. Even if you think noone will even understand you code, he doesn't have to. He can just execute it and see what it gives. JavaScript should only be used as a way to make the UI more convenient, not to secure anything. Basically, what you want to is not to write a password in the JavaScript and check it in here when the user types it but you want to send the password written to the server that either says "yes" or "no". If you check a form with JavaScript, you have to recheck it on the server-side because JavaScript could be disabled and so on. JavaScript on its own isn't secured (as client-side language of course).

---

You can use something like Google Closure to obfuscate the Javascript code, but I'd really look into why you need to hide this in the first place since they will be messing up their own data. As long as you don't rely on the data being valid for server side functionality (such as injecting the input directly into SQL) you should be ok.

---

You should be trying to hide keys, not the function that signs the content.

I've seen a number of JS systems that do something like this:

<script>// Runs first
(function () {
  // Look for a key in the URL like 'http://mysite.com/my/path?my=params#;key=abcd...
  var key = document.location.hash.match(/;key=([^;]+)/)[0];
  // Make sure other code on the page can't retrieve the key.
  // This is analagous to a program zeroing out its argv to prevent
  // key retrieval via /proc.
  document.location = "#";  // Does not cause reload.

  // define signature algo and export to whatever scope is appropriate.
  ...
})();
</script>

Obviously, this only works with single-use keys.