code comments passed to end-user

[Brickoneer]

I'm a firm believer in the fact that if they don't know what it is they can't break it. So, being the paranoid person that I am, I want to know if there is an easy way to remove all of the comments in the code once I go live. All of these comments are passed on to anyone who cares to view the source code. To me, this is a security risk. I'm not saying that zencart is insecure, but who knows what comments I've made to myself as well as the default comments? I didn't realize that they would be viewable to every script-kiddie in the universe.
Is the only way to grep for every single "<!--" and "-->"?

Thanks!
Brick

[Kim]

... and you think that removing the comments will make any real difference when the source code is freely available for all to use? (Unless you put a password in a comment somewhere)

[swguy]

I'm a firm believer in the fact that if they don't know what it is they can't break it.

This is not a fact, it's a hypothesis, and it's a hypothesis that's provably wrong. Google "Blind SQL injection attack."

[Brickoneer]

Good point Kim.
My current mindset is that its hard to break something if you don't know what it is. That would be the point of removing the comments. Its much easier to google phpbb exploits than it is to start blindly trying sql injections when someone else has already done the work.
If I hand you an application, and you wanted to break it, you'd want to figure out how it was made. (Well, depending on how you wanted to break it, but you get my point.)
Regardless, I didn't realize this at first, and so as I customized my store I made comments to myself about how certain things worked for future reference. I did a search for <!-- in the code and it appears over 1300 times... so I'm hoping you guys have a good suggestion. Although I'm sure this is VERY secure, I don't want to tempt fate by allowing people to view the comments I've made about inner workings.
Removing all the comments isn't necessary, it just seemed like an extra bit of security.
Any ideas?
Thanks for your time! What a great support group!
Brick

P.S. Swguy, thanks for your input, my point was simply that it is harder to break blind... not that it can't be broken. Thats why some script-kiddies target certain types of sites that use certain software because there are known exploits. If it wasn't widely known what software is used, some of these albeit harmless attacks can be avoided. Who knows, it might also slow or even prevent a real attack. Whats the harm?

[swguy]

Whats the harm?

Here's the harm: you have a problem with how a page is being rendered. You want to get from the html page back to the original php that generated it. oops - you deleted all the clues that would make such a traceback straightforward. Before 1.3 there were a much smaller number of comments and it was quite tedious to work backwards.

It doesn't buy you any additional security *and* it's going to make it more difficult to resolve problems.

[Kim]

Well - There is no easy way to do it. Have fun!

[Brickoneer]

*glowers at kim*
Ok, Thanks guys. I understand completely that removing comments will kill me down the road... now I need to come up with an easy way to rid myself of my personal comments.
Thanks for your help.
Brick

[yellow1912]

you can comment inside php tag, which will not be rendered.

[Brickoneer]

you can comment inside php tag, which will not be rendered.

Thats what I thought, I wasn't sure. Thanks!!
I'll still need to scan through and make sure I don't have any stray comments outside of PHP tags... *sigh*
Thanks guys!
Brick