• # August 28, 2012 at 1:24 pm

    So I want to pass information in a form, but the information should not be changed whatsoever. I know in inputs you can just change it by inspecting something like a hidden input and changing the value before submitting, but how can I make it secure so that no one will be able to change a input what-so-ever?

    # August 28, 2012 at 1:34 pm

    So…are you asking how to validate input data using html5, js, or server-side php?

    # August 28, 2012 at 1:36 pm

    This reply has been reported for inappropriate content.

    I’d like to send information the same way I do with normal forms, just uneditable. If there’s a way in PHP that’s fine. Basically I want a secure version of this:

    So that it’s uneditable..

    # August 28, 2012 at 3:03 pm

    otherwise with php it would work if you did something like this:

    < ?php

    $value = $_POST;

    if ($value == '123') {
    //do this
    else {
    //do this

    # August 28, 2012 at 3:06 pm

    This reply has been reported for inappropriate content.

    If disabled is true, then it will still be editable on inspect element right?
    Here is what I’m doing: I’m checking my main domain, and sending the login information over a form to another page as a quick login thing. So I need the information to be encrypted, but it has to be in a $_POST form, so that I can do if ($_POST) and so on…
    And thanks Robbinj, but as I said above, the information I’m sending is different for each login, so I won’t be sure what the value is supposed to be.
    Any ideas?

    # August 28, 2012 at 3:15 pm

    I dont think I understand exactly what you want to do.
    If you need the value sent by the form to be encrypted there’s a fuction called



    You can encrypt the value like this:

    $value = md5($_POST);

    (Every bit of text always get the same kind of encrypted text, f.e the word ‘code’ would always look the same encrypted).

    Also do you know about $_SESSION? This would be easier in your case I think, then you can store a session that you can use on other pages as well without bringing a new hidden form to every new page.

    (Maybe I don’t understand your problem correctly?)

    # August 28, 2012 at 3:25 pm

    This reply has been reported for inappropriate content.

    I am using sessions, I just need a “validator” over subdomains (cause I can’t use sessions over subdomains, and if you’re thinking of a method, then I’ve checked and the only thing that works is where I need a file that I don’t have access to.). The validator sends sensetive information from my main domain where they are logged in, to the subdomain to validate who they are and stuff. So I need to send information to another page that picks it up, and stores it in another session.

    Basically here is how it works:

    People log in at my main domain (say
    They access a sub domain that needs login info.
    The subdomain detects that there is no $username or $password so it sends them to a “validator” on my main domain checking if they are logged in.
    If they are logged in, the validator sends the unique, very sensitive information back to the subdomain, where it makes a new session.

    Understand :)?

    # August 28, 2012 at 3:28 pm

    Ah I get it :)

    Then just use a simple if/else on the form? Should work :)

    # August 28, 2012 at 3:29 pm

    This reply has been reported for inappropriate content.

    What do you mean? The only thing that I need is to send the username (without it being edit-able by the user) to the subdomain :)

    # August 28, 2012 at 3:33 pm

    I’m thinking of doing an if statement where the php will f.e exit(); if the value is not what you want it to be. Wouldnt that work? :P

    # August 28, 2012 at 3:34 pm

    This reply has been reported for inappropriate content.

    Yeah it would, but the subdomain has no idea what the username is supposed to be. That way if people edit the input that sends it to them, they can basically be anyone they want. This way I need to make sure that they can’t edit the username since the subdomain relies on the information that the main domain send.

    # August 28, 2012 at 3:38 pm

    Ahh that sucks :)

    Then i don’t think I know what you could do, looks like I kinda missunderstood you from the beginning, sorry :)

    unless you can use $_GET instead and get the username from the url? But maybe that wont work either when being sent to a subdomain..

    # August 28, 2012 at 3:39 pm

    This reply has been reported for inappropriate content.

    No problem, thank’s for caring :)

    # September 1, 2012 at 5:08 pm

    You need to secure the process differently, you can never assume form data hasn’t been interfered with, so you need to validate everything server side.

    The best way is to use a token that changes

    We are basically talking about CSRF (Cross-site request forgery) protection. If you want to do this then you need to just make sure that the token you are using to validate changes regularly so that you don’t need to worry about keeping it secret.

    What you do it write the PHP session ID to a token in your page and then use it to validate the form posting against the authenticated session/user.

    So put in your page


    and then on validation do

    if ($_GET!==session_id()) {

    if the user does not have an authenticated session active, or if they have an out of date session id then they won’t get any further. You can always regenerate the session id on every successful request to further secure it.

    # September 1, 2012 at 5:13 pm

    I use this same method with a client portal i maintain. The backend ajax is all delivered in JSON from publicly facing PHP scripts. I coded an html5 based iOS/android app that uses the same backend. The user authenticates once when they start the app and the token is passed to the device and that then gives the app access to the same JSON data without authenticating every request.

Viewing 15 posts - 1 through 15 (of 18 total)

You must be logged in to reply to this topic.