Securely pass data

[muppet77]

Hi. I've got a setup at the moment that goes :

 

1. User completes a HTML form which gets passed by hidden forms to

2. A php/HTML page that uses this data by POST to then draw a graph in

3. Using phplot. Again the data is passed on a hidden form and POSTS are used.

 

My question is how can I change the set up so that users cannot access the posted data?

 

Thank you.

[Jacques1]

Why does this matter? What's the problem if the user accesses the data?

[Sepodati]

My question is how can I change the set up so that users cannot access the posted data?

You can't. If you have to POST it, then it has to be with the user as a part of the request. As mentioned, though, why does it matter?

[muppet77]

Hi. The user gets a graph out out at the end and I don't want them to have access to the sensitive raw data due to the time it took for me to collect.

 

Is there another way?

[Sepodati]

Keep the data server side, then. Pass along a reference to it if you have to pass something via forms. I don't think the flow has been explained enough here to understand why you're involving POST to begin with.

[muppet77]

Hi. My description and explanations are pretty simple I'm afraid - only because of my newness to this.

 

I've cobbled together some php pages and the user inputs some requirements in a HTML "hidden" form which is then passed to the next php page. A POST command gets the previously inputted data and then draws a graph in phplot.

 

I've done it his way as it's the only way I know how.

 

Is there a way where the user can't see the "hiddden" data that is passed on by the php pages (as some of it comes from an equation that I'd like to remain secret)?

 

Thanks.

[Sepodati]

Is there a way where the user can't see the "hiddden" data that is passed on by the php pages

No. If you send it as a part of the page, the user can do whatever they want with it.

 

Maybe look into sessions here to store the values? I assume they're specific to each user's request and that's a reason why the can't just be PHP variables/constants/functions strictly in the PHP script?

[muppet77]

Yes they are specific to each user.

The second php page then manipulates this data to get new values.

These values are he ones I don't want the user to see.

These new values are then passed to script three where the graph is drawn in phplot.

 

Ideally I just want them to get the final graph with being able to see the POSTED data.

 

You mention sessions....?

[Sepodati]

http://php.net/manual/en/intro.session.php

[mac_gyver]

The second php page then manipulates this data to get new values. 

These values are he ones I don't want the user to see. 

These new values are then passed to script three where the graph is drawn in phplot. 

 

 

the second page should also produce the plot. there's no need for a third page.

[muppet77]

Thanks both. I will investigate what sessions are.

[muppet77]

So this example by ranc - http://php.net/manual/en/session.examples.php

 

Is this what you mean? I'm not sure I follow how I'd use this.

[muppet77]

Thanks for your patience with me!

[Sepodati]

Yeah, why can't you draw the graph on page 2?

 

Honestly, if you want anymore advice past this, you're going to need to start sharing code for each of the pages, so we can see what's really going on. Blank out your secret formulas, if necessary, but we have to see the flow clearly.

Edited August 9, 2017 by Sepodati

[muppet77]

Thanks. I've read up on sessions and had a go in php, successfully getting a variable from one page to another.

 

General question - can a variable in a session be viewed by a user at all if it is not echoed?

Eg using Firebug or somehinf to see what's happening behind the script?

 

Thanks

[Sepodati]

General question - can a variable in a session be viewed by a user at all if it is not echoed?

Eg using Firebug or somehinf to see what's happening behind the script?

No, the user only sees the reference to the data, something the server uses to identify where the real data is at for that user. The data only exists on the server.

 

EDIT: That said, it's not a "secure" place to store things. You could echo $_SESSION or something containing session values accidentally or leave up a test script that exposes it or have a PHP vulnerability that can expose it.

Edited August 9, 2017 by Sepodati

[cyberRobot]

In case you're interested, the following page talks about session security

http://php.net/manual/en/features.session.security.management.php

[muppet77]

Ah thanks. If the "secret equation" is kept secret or at least the data it generates, then this may be the ticket.

 

Thanks all.

[muppet77]

Right think I've done it.

If I post a URL please could someone have a look to see what "hidden" info you can get at, if any?

 

(Not sure if I can post urls)