Preventing posting of data with Tamper Data

[bulgin]

I have just spent much time constructing an application only to find out that if I use Tamper Data I can forge input values to the database for fields that were supposed to be 'read only'.

 

What is the general methodology for preventing a user from inputting values through a tool like 'Tamper Data'?

 

If I ssl enable the site would that help?

 

Thanks.

 

[PFMaBiSmAd]

All external data cannot be trusted and must be validated once it reaches the web server to make sure it is what you expect. If you are doing something like passing important data using hidden fields in forms, that data must be validated and if you expect it to be safe from tampering, you should not pass it through the browser but should instead pass it through session variables so that it is not in the hands of the visitor/hacker.

 

If you have a specific problem, post details to get the most direct solution.

[bulgin]

Thanks for your reply, PFMaBiSmAd.

 

I'm not much of a php or mysql guru but understand basic principles.  So if I wrap values in variables then that information won't be visibly sent to the browser? Put another way, what is the general method of passing data to session variables from my application?  And if I do that, you are saying this information -- in my case MySQL field names are visible in the 'tamper data' application -- will no longer show up in the 'tamper data' application?

 

Thank you.