Jump to content

Hidden, hidden input field


snakehill

Recommended Posts

I am currently coding a private download system which enables one to download password-protected files from external sites (e.g. MediaFire). The way it's done is that there is a form, the user clicks Submit and the password is posted right on the host's site itself, so that the download is trigged right away.

 

Though the idea seems all fine and it is very easy to do right from the HTML, the problem is that in the HTML you cannot hide hidden fields from a form in the page's source code. Therefore, I would like to have the form post to a PHP first, and this PHP which includes the password then posts it onto let's say MediaFire and fires the download. This way, the password is unseen and kept secret. The download should fire from MediaFire itself, else it uses my site's bandwidth on top of it.

 

The idea summed up: Page with submit button (no hidden field with password) -> post -> PHP file with password -> post -> External site.

 

The POST option (from PHP to the site) is a must for that most of these external sites seem to require it. MediaFire actually uses a post of a form field named downloadp.

 

Is this possible with just PHP? And if so, how?

 

I already got a javascript way of doing it (which can also be launched via PHP but it still required Javascript). Basically, it uses a SESSION from the page with the form, and if this is available, the PHP file will launch another form with the password automatically through Javascript, which triggers the external download. But if Javascript it turned off, this wouldn't work plus that anyone who would like to get to the password, could get there easily that way.

 

Thanks a lot for the help in advance! Much appreciated!

Edited by snakehill
Link to comment
Share on other sites

What you are asking is not possible, unless you pass the file through your server.

 

The client/browser making the http request for the download file must also supply the authentication as part of that http request. Anything thing you do through the client/browser can be seen or captured by the person using that client/browser.

 

The only 'secure' way of doing this, that doesn't expose the actual username/password to a visitor, is if the download site has an API that provides a unique/limited-use access token that you could then output to the client/browser to submit to the download site to provide the authentication.

Link to comment
Share on other sites

It's not really possible to hide information that you pass through the client, because all anyone needs to do to get it is to spend a little more time than the amount of time you spent in hiding it. Passing the actual password through the client, will mean that if your 'protected' content is of great enough value, that your password will soon get shared all over the Internet.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.