Form post without a HTML form?

[schart]

So I want to pass information in a form, but the information should not be changed whatsoever. I know in inputs you can just change it by inspecting something like a hidden input and changing the value before submitting, but how can I make it secure so that no one will be able to change a input what-so-ever?

[bradleybebad]

So…are you asking how to validate input data using html5, js, or server-side php?

[robbinj]

otherwise with php it would work if you did something like this:

$value = $_POST;



if ($value == '123') {

//do this

}

else {

//do this

}



?>

[robbinj]

I dont think I understand exactly what you want to do.
If you need the value sent by the form to be encrypted there’s a fuction called

md5();

.

You can encrypt the value like this:

$value = md5($_POST);

?>

(Every bit of text always get the same kind of encrypted text, f.e the word ‘code’ would always look the same encrypted).

Also do you know about $_SESSION? This would be easier in your case I think, then you can store a session that you can use on other pages as well without bringing a new hidden form to every new page.

(Maybe I don’t understand your problem correctly?)

[robbinj]

Ah I get it :)

Then just use a simple if/else on the form? Should work :)

[robbinj]

I’m thinking of doing an if statement where the php will f.e exit(); if the value is not what you want it to be. Wouldnt that work? :P

[robbinj]

Ahh that sucks :)

Then i don’t think I know what you could do, looks like I kinda missunderstood you from the beginning, sorry :)

unless you can use $_GET instead and get the username from the url? But maybe that wont work either when being sent to a subdomain..

[bungle]

You need to secure the process differently, you can never assume form data hasn’t been interfered with, so you need to validate everything server side.

The best way is to use a token that changes

We are basically talking about CSRF (Cross-site request forgery) protection. If you want to do this then you need to just make sure that the token you are using to validate changes regularly so that you don’t need to worry about keeping it secret.

What you do it write the PHP session ID to a token in your page and then use it to validate the form posting against the authenticated session/user.

So put in your page

"/>

and then on validation do

if ($_GET!==session_id()) {

header('location:error.php');

}

if the user does not have an authenticated session active, or if they have an out of date session id then they won’t get any further. You can always regenerate the session id on every successful request to further secure it.

[bungle]

I use this same method with a client portal i maintain. The backend ajax is all delivered in JSON from publicly facing PHP scripts. I coded an html5 based iOS/android app that uses the same backend. The user authenticates once when they start the app and the token is passed to the device and that then gives the app access to the same JSON data without authenticating every request.

[Author]

Posts