So I want to pass information in a form, but the information should not be changed whatsoever. I know in inputs you can just change it by inspecting something like a hidden input and changing the value before submitting, but how can I make it secure so that no one will be able to change a input what-so-ever?
I'd like to send information the same way I do with normal forms, just uneditable. If there's a way in PHP that's fine. Basically I want a secure version of this:
If disabled is true, then it will still be editable on inspect element right? Here is what I'm doing: I'm checking my main domain, and sending the login information over a form to another page as a quick login thing. So I need the information to be encrypted, but it has to be in a $_POST form, so that I can do if ($_POST) and so on... And thanks Robbinj, but as I said above, the information I'm sending is different for each login, so I won't be sure what the value is supposed to be. Any ideas?
I dont think I understand exactly what you want to do. If you need the value sent by the form to be encrypted there's a fuction called
md5();
.
You can encrypt the value like this:
$value = md5($_POST['something']); ?>
(Every bit of text always get the same kind of encrypted text, f.e the word 'code' would always look the same encrypted).
Also do you know about $_SESSION? This would be easier in your case I think, then you can store a session that you can use on other pages as well without bringing a new hidden form to every new page.
(Maybe I don't understand your problem correctly?)
I am using sessions, I just need a "validator" over subdomains (cause I can't use sessions over subdomains, and if you're thinking of a method, then I've checked and the only thing that works is where I need a file that I don't have access to.). The validator sends sensetive information from my main domain where they are logged in, to the subdomain to validate who they are and stuff. So I need to send information to another page that picks it up, and stores it in another session.
Basically here is how it works:
People log in at my main domain (say domain.com). They access a sub domain that needs login info. The subdomain detects that there is no $username or $password so it sends them to a "validator" on my main domain checking if they are logged in. If they are logged in, the validator sends the unique, very sensitive information back to the subdomain, where it makes a new session.
Yeah it would, but the subdomain has no idea what the username is supposed to be. That way if people edit the input that sends it to them, they can basically be anyone they want. This way I need to make sure that they can't edit the username since the subdomain relies on the information that the main domain send.
You need to secure the process differently, you can never assume form data hasn't been interfered with, so you need to validate everything server side.
The best way is to use a token that changes
We are basically talking about CSRF (Cross-site request forgery) protection. If you want to do this then you need to just make sure that the token you are using to validate changes regularly so that you don't need to worry about keeping it secret.
What you do it write the PHP session ID to a token in your page and then use it to validate the form posting against the authenticated session/user.
if ($_GET['crsftoken']!==session_id()) { header('location:error.php'); }
if the user does not have an authenticated session active, or if they have an out of date session id then they won't get any further. You can always regenerate the session id on every successful request to further secure it.
I use this same method with a client portal i maintain. The backend ajax is all delivered in JSON from publicly facing PHP scripts. I coded an html5 based iOS/android app that uses the same backend. The user authenticates once when they start the app and the token is passed to the device and that then gives the app access to the same JSON data without authenticating every request.
I have googled a lot, so I know about the session method. That is the method I use on the main domain, and I want to transfer, but my host won't allow me access to a certain file so I can't apply it to subdomains..
otherwise with php it would work if you did something like this:
Here is what I'm doing: I'm checking my main domain, and sending the login information over a form to another page as a quick login thing. So I need the information to be encrypted, but it has to be in a $_POST form, so that I can do if ($_POST) and so on...
And thanks Robbinj, but as I said above, the information I'm sending is different for each login, so I won't be sure what the value is supposed to be.
Any ideas?
If you need the value sent by the form to be encrypted there's a fuction called .
You can encrypt the value like this:
(Every bit of text always get the same kind of encrypted text, f.e the word 'code' would always look the same encrypted).
Also do you know about $_SESSION? This would be easier in your case I think, then you can store a session that you can use on other pages as well without bringing a new hidden form to every new page.
(Maybe I don't understand your problem correctly?)
Basically here is how it works:
People log in at my main domain (say domain.com).
They access a sub domain that needs login info.
The subdomain detects that there is no $username or $password so it sends them to a "validator" on my main domain checking if they are logged in.
If they are logged in, the validator sends the unique, very sensitive information back to the subdomain, where it makes a new session.
Understand :)?
Then just use a simple if/else on the form? Should work :)
Then i don't think I know what you could do, looks like I kinda missunderstood you from the beginning, sorry :)
unless you can use $_GET instead and get the username from the url? But maybe that wont work either when being sent to a subdomain..
The best way is to use a token that changes
We are basically talking about CSRF (Cross-site request forgery) protection. If you want to do this then you need to just make sure that the token you are using to validate changes regularly so that you don't need to worry about keeping it secret.
What you do it write the PHP session ID to a token in your page and then use it to validate the form posting against the authenticated session/user.
So put in your page
and then on validation do
if the user does not have an authenticated session active, or if they have an out of date session id then they won't get any further. You can always regenerate the session id on every successful request to further secure it.
This is the ideal solution, and should work just fine... I've never had problems
what "certain file" are you referring to? have you tried something like the example I gave above?