IwnfuM Posted September 19, 2010 Share Posted September 19, 2010 hi , when I use hidden input tag and save there information to send with the form , is that secure? I mean , if the user or hacker or anything can change the value of the hidden tag? thanks , Mor. Link to comment https://forums.phpfreaks.com/topic/213798-hidden-data/ Share on other sites More sharing options...
fortnox007 Posted September 19, 2010 Share Posted September 19, 2010 Well hidden fields are only hidden in the view but not in the source. someone could change the value of the hidden field. So in case you have a game where a random number is shown and you ask them to guess if the next random number is higher or lower. someone could just set the value in the hidden field that will be the $_POST['var'] to 1 and press higher. or to like 100000 (if that's the max) and press lower. So if you want to use them, don't do so for crucial information like the price of a product or credentials. Maybe have a look in Sessions, it's a much nicer solution and it's not visible. Link to comment https://forums.phpfreaks.com/topic/213798-hidden-data/#findComment-1112758 Share on other sites More sharing options...
IwnfuM Posted September 19, 2010 Author Share Posted September 19, 2010 I wont put there a sensitive information of course . but still , the user can't set an other value in that hidden input right? just to make sure. thanks , Mor. Link to comment https://forums.phpfreaks.com/topic/213798-hidden-data/#findComment-1112760 Share on other sites More sharing options...
fortnox007 Posted September 19, 2010 Share Posted September 19, 2010 lol if you read my post, (even gave an example of altering values XD) YES HE CAN! (-B.Obama-) if someone has an addon for firefox named FireBug, he can simply inspect certain elements of your page and alter them. And that's just one way of doing it Link to comment https://forums.phpfreaks.com/topic/213798-hidden-data/#findComment-1112765 Share on other sites More sharing options...
IwnfuM Posted September 19, 2010 Author Share Posted September 19, 2010 alright . thanks , Mor. Link to comment https://forums.phpfreaks.com/topic/213798-hidden-data/#findComment-1112770 Share on other sites More sharing options...
fortnox007 Posted September 19, 2010 Share Posted September 19, 2010 OK get firefox, install firebug and run the script below. You will see that if you press inspect you can alter the value in the hidden field and always win. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>hiddenfields</title> <link rel="stylesheet" type="text/css" href="css/styles.css" /> </head> <body> <h1>Just an example of something using hidden fields</h1> <?php //make random number $random_num = mt_rand(1,1000); //check if the form is submitted and value is higher if (isset($_POST['submit'])) if ($_POST['supersecretfield']<$random_num){ echo 'Good job the number is indeed higher'; }else{ echo 'the new number is lower than the previous! FAILZOR'; } //print it echo $random_num.'<br />'; echo 'previous number: '.$_POST['supersecretfield']; ?> <form name="new_form" action="higher.php" method="post"> <input type="hidden" name="supersecretfield" value="<?php echo $random_num; ?>" <input type="submit" name="submit" value="higher" /> </form> </body> </html> Link to comment https://forums.phpfreaks.com/topic/213798-hidden-data/#findComment-1112773 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.