Am I right to assume that PHP code is safe from visitors being able to see it if they go searching? Unlike Javascript.

Are there any extra measures I should go to to hide my PHP code?

Thanks guys.

PHP is not visible to the clients.

The only situation where a PHP script can be sent unparsed to the client, is when the webserver is falling over. This is one of the reasons why you should never store sensitive data (like passwords and usernames of a mysql-account or similar) inside your actual scrpts, but put them inside seperate files that you then include. If the script is sent unparsed, only the adress of the include will be disclosed, but the server will be down by the time they can request that file + inside all files thet you include, you need to place a check at the top to make sure that the requested file is different from that script, or you need to place these includes above the webroot.

Yeah, php is always hidden, but if your web server is experiencing issues, it may not parse it, and hense you end up with being able to view the full php.
The trick that I would use to fix this, if I'm worried about it, would be to set up a varification in the beginning of your script:

<?php
define('ISPHP', true);
if (!defined('ISPHP'))
{
?>
<html>
<head>
<meta HTTP-EQUIV="refresh" content="0; url=http://yoururlhere.com/yourpage.html" />
</head>
<body>
<!-- Nothing needs to be here anyway... -->
</body>
</html>
<?php
}

/* The rest of your script here...*/


This should make it so if your server doesn't parse it, it will direct browser to a standard html page, I figure this to be a little bit more secure anyway.

But if PHP is not parsed it won't work anyway, will it?

It should, as long as its at the top, it will recognize the refresh almost immediatly. I'm not 100% certain now that you mention it, as the best I can do to test it is to unset the define. Other than that, I haven't disabled my php to see if it will work, but I would think it should. Only one way to find out for sure!

EDIT: No, no it doesn't. Pitty.

Was hoping that I could hide some javascript in PHP. This javascript (in PHP) gets the time zone of the visitor and displays it to them.
<?php
echo '<SCRIPT Language="JavaScript">
var curDateTime = new Date()
document.write("GMT Offset for your time zone is ")
document.write(-(curDateTime.getTimezoneOffset()/60))
</SCRIPT>';
?>

The problem with the above is that if the visitor saves the web page and looks at the source code - can see my javascript. But I know that the visitor cannot get his hands on PHP code - so try to integrate the javascript into PHP more by putting the javascript in a PHP variable. However, does not work.

<?php
$rup = '<SCRIPT Language="JavaScript">
var curDateTime = new Date()
document.write("GMT Offset for your time zone is ")
document.write(-(curDateTime.getTimezoneOffset()/60))
</SCRIPT>';
echo '$rup';
?>

Can anyone follow on from this such that I can hide my javascript? How can I integrate the javascript with the PHP to confer the javascript hidden - as it is so intertwinned with the PHP - that the visitor cannot see any kind of functional source code.

Am I on the start of a promising track? Or is this a dead end? Once again, many thanks.

Yup, this is a dead end. :(

However you integrate your javascript, the PHP will have been parsed by the time it reaches the client, leaving just your javascript as the output, which has to be delivered to the client to function.

why don't you just use an "IP to timezone" conversion with PHP ?

I also think you are approaching this completely wrong. If you grab the time/date clientside, then you should not be concerned that people can see the script, but that people will manipulate their time-settings. Even if you would be able to hide the javascript, it would still be the same people that would manipulate it. and resetting their systemtime would be the first thin they would try. I wouldn't need to see your actual code to figure out how you determine the redirect. there are basically just 2 ways: IP to timezone serversided, or a clientside script like javasqcript, so if they bother how you redirect, it wount take me a minute (even withut seeing any code) to figure out which of the two you use + how i can get around it; spoofing their IP or resetting their systemtime...