PHP variables are shown in the console when returned to Javascript with Json Encode

Question

I am performing some validation with js and php but i came randomly to firebug inspect console and all the variables come up in the console as shown in the screenshot. I thought if i return a variable from PHP with Json Encode that will be hidden but it is visible in the console.

Is there a way to hide those values from showing to the user in the console? The main logic of the validation is in Javascript with conditions like so below then i compare the values in JS if they are equal to the string in PHP.

$row1 = "10010010";$row2 = "01001001";$row3 = "00100100";$row4 = "10010010";
$row5 = "01001001";$row6 = "00100100";$row7 = "10010010";$row8 = "01001001";
    
    
echo json_encode([
    'row1' => $row1, 
    'row2' => $row2,
    'row3' => $row3, 
    'row4' => $row4, 
    'row5' => $row5, 
    'row6' => $row6, 
    'row7' => $row7, 
    'row8' => $row8]
);

In JS:

//logic of validation in JS

   if ( jsVariable === data.row1) //...
else //...
   if (jsVariable2 === data.row2) //...
else //...

Answer 1

There are some very important things to learn here:

1. Everything sent to the browser is visible to the user. This was true even before every browser shipped with debug tools, because the browser runs on the user's computer, so if the browser can see it, the user can see it.
2. Anything run on the browser is under the control of the user. This means that client-side validation should only be used for user-friendliness, never for security. All validation must be re-run on the server, because the user can submit whatever data they want.

You can pass encrypted or hashed data to the browser in order for it to be passed back, or you can pass an opaque token that allows you to look up a particular piece of data on the server when it's passed back (this is generally referred to as a "session").

Note that if you decrypt the data in the browser, the user can intercept the decrypted copy. In short, never trust the browser .