Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    New Coder
    Join Date
    Jan 2011
    Posts
    32
    Thanks
    16
    Thanked 0 Times in 0 Posts

    Securer way than hidden data in forms?

    I have an explore script. A character comes along and wants to trade with you.
    So anyways the hidden data is the trader's id.
    So
    PHP Code:
    echo ' <form action="post">
    <input type="hidden" name="traderid" value="'
    .$tid.'">
    <input type="submit" name="trading" value="Trade">
    </form> '

    thats what the form looks like.
    With firefox's page editor add-ons, someone can change the id of the trader. Is there a secure way to pass this information?
    Last edited by ruletka; 09-18-2011 at 01:25 AM.

  • #2
    Senior Coder
    Join Date
    Apr 2010
    Posts
    1,453
    Thanks
    71
    Thanked 102 Times in 101 Posts
    There is a firefox add on for that? Very interesting... do you know the name of it?

  • #3
    New Coder
    Join Date
    Jan 2011
    Posts
    32
    Thanks
    16
    Thanked 0 Times in 0 Posts
    There's a few.
    Search results of it
    Firebug and page hacker are popular ones.
    I just now browsed upon cookie editor addons too..but I believe the sessions are hashed so its not too vulnerable
    Edit cookies search
    >.> I wonder if anything is safe with all these addons
    Last edited by ruletka; 09-17-2011 at 02:05 PM.

  • #4
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,341
    Thanks
    60
    Thanked 527 Times in 514 Posts
    Blog Entries
    4
    Use sessions and / or a database.

    Hidden fields should only be used for things which aren't of great significance if the user changes it for whatever reason. Also you should always check the input is what you expect when the data is submitted.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • Users who have thanked tangoforce for this post:

    ruletka (09-18-2011)

  • #5
    New Coder
    Join Date
    Jan 2011
    Posts
    32
    Thanks
    16
    Thanked 0 Times in 0 Posts
    So should the session be made, and put into the form, then decoded? or is that unsafe.

  • #6
    New Coder
    Join Date
    Aug 2011
    Location
    Melbourne, Brighton 3186
    Posts
    17
    Thanks
    1
    Thanked 2 Times in 2 Posts
    How did you resolve it?

  • #7
    Rockstar Coder
    Join Date
    Jun 2002
    Location
    USA
    Posts
    9,074
    Thanks
    1
    Thanked 328 Times in 324 Posts
    Quote Originally Posted by ruletka View Post
    So should the session be made, and put into the form, then decoded? or is that unsafe.
    No look up using session variables in PHP. You won't need to put in any extra data into the form.
    OracleGuy


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •