show google map markers with php

Question

Hi everyone!

Im working on a google map project where the user can type in a address and gets the result of nearby restaurants ploted on a google map. So far no problems. I've created a ajax call where the backend outputs and xml and then with jquery I create the markers.

But now to my problem.

With this ajax solution anyone can easily with firebug or other webdeveloper tool access the xml result that contains all names, latitudes, longitudes of the restaurant I have. I want to somehow protect the data that is showed.

How can I do this?

How can I plot google map markers with php without jquery? Can it be done?

thx in advance!

Answer 1

The only way to protect the data is to render the map before sending it to the browser. Doing that will take most or all the cool features of google maps away since you'd have to display just an image.

Any data that is accessable by google maps is accessable by someone with firebug.

Answer 2

Google Maps Markers for an interactive map (using a the GMap2 object in the API) must be created on the client side (in Javascript) and are therefore vulnerable to reverse engineering the data.

If you want to generate the map data on the server, then you are limited to static functionality on the client. You can use the Google Static Maps API to build a URL on the server, which includes the information about the markers you want to display and the region that the static map will show. This approach sacrifices some usability for the client (no dynamic zooming, panning, marker popups etc...) to protect your data.

N.B. A determined engineer will still be able to access your data (albeit with some difficulty) by:

• Parsing your static maps URL to determine the map region
• Analyzing the image data to find markers and determine their locations.

Answer 3

Simple answer - you can't.

---

Long answer

You could draw an image overlay on server-side, kinda like Wikipedia overlay in Google maps, but I don't think it's worth the effort.

You could also store a key in php session and pass it to JavaScript on initial page load and then don't return the data if data isn't requested trough Ajax with the correct key (which is unique per browser session). This would just protect you from simple bots which don't support cookies. More mess then gain.

Also remember that if someone were to write competing site using your server as data-source then they would still have to tunnel Ajax requests trough their own server because you can't do cross-domain requests with JavaScript therefore you would see a lot requests from same IP (their web-server) in your web-logs and you could easily ban that IP. (Unless they download all at once and then serve from their own server).

And is it really necessary? It's not like restaurant locations are top secret.

Answer 4

Some things you can do to make life difficult for someone trying to grab your data:

In your server code, examine the headers to see if the request came from your client page. If the request came from anywhere else, return nothing.

Encode the data that you return from the server. Decode it as late as possible in your client code, so that you only have the plaintext for one restaurant in Javascript variables at any one time. That way someone with Firebug can only directly read one restaurant at a time.

Have your server only return a limited number of locations at once, even if somebody uses Firebug to change the request parameters so that it asks for restaurants within a huge radius. That way they can only grab the cyphertext for that many locations at once to paste into their own code in which they've placed a copy of your decoding function.

Instead of grabbing the cyphertext for even that limited number of locations in a single call, send multiple requests that each return a very small number of locations, with an extra parameter specifying which chunk of restaurants is requested.

Its not foolproof, but for someone to grab substantial quantities of your data will either take them a long time, or require fairly sophisticated attack techniques, such as spoofing the request headers.