PG Software Development

Hi Clifton,

If you have time ...

I've been looking at the developer tools provided on Google Chrome. It's a bit disconcerting to find that large parts of the file system on my web server are completely visible and you can even get the contents of each file 100%! However the parts that are visible do not seem to include the Toolbook and Powerpac programming. Is that correct? The visible files I found were all in files loaded by pgGoToURL(). They were things like my online recording system, my uploading system etc.

I'm not too bothered about people accessing these files which after all contain mainly open source code but I plan to use encrypted passwords to allow users to access there own personal files. How safe will that be? Safer if I use serverside php maybe?

I have a particular complicated problem. I want to make the internet version of my program compatible with the existing Windows version. Both versions are basically tools for creating exercises for students to be used on computers and other devices. The Windows version contains a system to prevent users selling exercises without first obtaining a distribution license. It uses an internal .Net Framework library to encrypt certain elements and all this remains invisible of course. I have found another way to carry out the encryption on the Windows version using Javascript. The program writes an html file and a js open source encryption file to the local appData folder. The html file is loaded into a VS webBrowser object. The text of the html file can then be modified by the VS program and by using onpropertychange I can retrieve encoded or decoded text. In this way whatever is to be encoded always remains invisible. Surprisingly all this works!

My problem is that if I use the same js encryption file on my server for the internet version of the program, anyone can access and copy it. I can't use DHTML and Powerpac on a local computer. Any thoughts?

To preserve security of sensitive user data, take a look at the PowerPac function pgStringEncrypt(). This function is able to provide 256 bit AES password-based string encryption. This is a very powerful encryption method.

As far as protecting your code, you should put any custom js that you write in separate files that are loaded in the head section of the html page as <script src="file path"></script>. When you write your functions, you may want to consider using less obvious function names and variables; stuff only you would know what it is. In addition, the js files should be at least minified to make them harder to decipher. I wrote a little exe to automatically compress/minify the PowerPac js files to save bandwidth during load and to provide a measure of security for the functions. ToolBook exports are obfuscated, which doesn't make them impossible to decipher but very difficult. I believe ToolBook pages are very difficult to disassemble in any useful way by prying eyes.

If your Windows version of the program is "Windows-only", then you can use the IE web browser control to load up a hidden server page that passes encrypted data back and forth to the Windows program and which may or may not be used to control access to the web as needed. I do this with some of the Almena Method Typing software versions. Some of these are local installations but use the web browser control for various tasks that involve HTML or web communication (database, etc.).

Thanks Clifton, I'll try to apply your suggestions.

Re your last paragraph I think the system I have made for my Windows version is doing something very similar but without the need to use an external server. I just use a local file to access the (javascript) encryption system that is identical to the one I shall use on the internet version. In this way encrypted parts of files can be created on one version and used on the other.

PS I am currently struggling with the use of a single-select Toolbook field. Hopefully I'll come up with a solution. If not I'm afraid I'll be back again this evening.

thanks