Forums

  • # August 28, 2012 at 1:24 pm

    So I want to pass information in a form, but the information should not be changed whatsoever. I know in inputs you can just change it by inspecting something like a hidden input and changing the value before submitting, but how can I make it secure so that no one will be able to change a input what-so-ever?

    # August 28, 2012 at 1:34 pm

    So…are you asking how to validate input data using html5, js, or server-side php?

    # August 28, 2012 at 3:03 pm

    otherwise with php it would work if you did something like this:

    < ?php

    $value = $_POST;

    if ($value == '123') {
    //do this
    }
    else {
    //do this
    }

    ?>
    # August 28, 2012 at 3:15 pm

    I dont think I understand exactly what you want to do.
    If you need the value sent by the form to be encrypted there’s a fuction called

    md5();

    .

    You can encrypt the value like this:


    $value = md5($_POST);
    ?>

    (Every bit of text always get the same kind of encrypted text, f.e the word ‘code’ would always look the same encrypted).

    Also do you know about $_SESSION? This would be easier in your case I think, then you can store a session that you can use on other pages as well without bringing a new hidden form to every new page.

    (Maybe I don’t understand your problem correctly?)

    # August 28, 2012 at 3:28 pm

    Ah I get it :)

    Then just use a simple if/else on the form? Should work :)

    # August 28, 2012 at 3:33 pm

    I’m thinking of doing an if statement where the php will f.e exit(); if the value is not what you want it to be. Wouldnt that work? :P

    # August 28, 2012 at 3:38 pm

    Ahh that sucks :)

    Then i don’t think I know what you could do, looks like I kinda missunderstood you from the beginning, sorry :)

    unless you can use $_GET instead and get the username from the url? But maybe that wont work either when being sent to a subdomain..

    # September 1, 2012 at 5:08 pm

    You need to secure the process differently, you can never assume form data hasn’t been interfered with, so you need to validate everything server side.

    The best way is to use a token that changes

    We are basically talking about CSRF (Cross-site request forgery) protection. If you want to do this then you need to just make sure that the token you are using to validate changes regularly so that you don’t need to worry about keeping it secret.

    What you do it write the PHP session ID to a token in your page and then use it to validate the form posting against the authenticated session/user.

    So put in your page



    "/>

    and then on validation do


    if ($_GET!==session_id()) {
    header('location:error.php');
    }

    if the user does not have an authenticated session active, or if they have an out of date session id then they won’t get any further. You can always regenerate the session id on every successful request to further secure it.

    # September 1, 2012 at 5:13 pm

    I use this same method with a client portal i maintain. The backend ajax is all delivered in JSON from publicly facing PHP scripts. I coded an html5 based iOS/android app that uses the same backend. The user authenticates once when they start the app and the token is passed to the device and that then gives the app access to the same JSON data without authenticating every request.

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.

icon-anchoricon-closeicon-emailicon-linkicon-logo-staricon-menuicon-nav-guideicon-searchicon-staricon-tag