security

[magcr23]

Hi guys, i have a problem. I have an website like this:

de-->From

para-->To

assunto-->subject

mensagem-->message

 

the 3 first fields are blocked to the user, since that's a reply the user don't need to fill the form again, only the message.

But if i he goes to the source code (f12):

he will be able to change that. I've already manage a way to block the "para" field, but i can't do it to the other 2.

 

that's the code:

echo '<tr><td>Para:<input value="' .$ln['emissor'] .'" id="destinatarioMSG" name="destinatarioMSG" type="text" readonly="readonly" required ></td></tr>';

<tr><td>Assunto:<input value ="<?php echo $ln['assunto'];?>" id="assuntoMSG" name="assuntoMSG" type="text" readonly="readonly" required ></td></tr>

$de = $_SESSION["user"];
@$para = limpa($_POST["destinatarioMSG"]);
@$assunto = limpa($_POST["assuntoMSG"]);
@$mensagem = mysqli_real_escape_string($con, $_POST["corpoMSG"]);
@$data = date('Y-m-d');
@$raiz = limpa($_POST["IDmsg"]);
							
if ( ! empty( $_POST ) ) {
$msg = "INSERT INTO mensagens(id, emissor, destinatario, mensagem, assunto, data, raiz, visivelEmissor, visivelDestinatario) VALUES (DEFAULT, '$de', '$para', '$mensagem', '$assunto', '$data', '$raiz', '1', '1' )";
mysqli_query($con, $msg);
}

How can i block this 2 other fields?

[fastsol]

Simple, don't make them text fields in the first place.  Then on the processing side when the form is submitted, run a query to gather the missing info from the db.

[magcr23]

Simple, don't make them text fields in the first place.  Then on the processing side when the form is submitted, run a query to gather the missing info from the db.

i want them to be text fields, because then i will create a button "edit" to edit all data less the from.

 

Anyway it was simple, but i'm so tired that i needed 30mins to figure out... I just need to match the data with the original data.