Hidding defined variables in POST
8 posts by 4 authors in: Forums > CMS Builder
Last Post: August 14, 2009 (RSS)
By eduran582 - August 13, 2009
I'm trying to figure out a way to hide some pre-defined variables (about 8) that will be included in a POST to another form. There will also be user input posted as well which will be included in the POST but does not need to be hidden when POSTed.
Example: one of the pre-defined variables that MUST be hidden will be "version" with a value of "1.0" and will be the first variable in the information sent in the POST when submitted. If I put it in the form itself (<input type="hidden" name="version" value="1.0!" />) anyone viewing the source will see the value of 'version'. If I can figure out a way to do that in php, it will not show up when viewed in the source.
Any suggestions?
TIA! [:)]
Eric
Re: [eduran582] Hidding defined variables in POST
By Chris - August 13, 2009
This isn't possible without forwarding the request through your own program, which is not really a simple thing to do. To do this, you'd need the form to submit to your own custom web software, which would then turn around and make another request to the final page with the user's form data plus your extra secret data. There are a bunch of other things that might make this even more complicated (e.g. cookies.) We could custom build a solution for you through consulting. Let us know if you're interested in that.
However, there might be an alternative approach.
What exactly is it that you're trying to do? What are you posting to, and why is there danger in visitors seeing (and being able to change) the value of, for example, "version"?
Hope this helps!
Chris
Re: [chris] Hidding defined variables in POST
By eduran582 - August 13, 2009
Thanks for replying. The reason for the "secrecy" is in the form being used; it will be used to make a payment to a 3rd party vendor gateway and the 'secret' fields consist of various information like terminal ID, terminal password, etc. As you can see, if I used the "hidden" form field approach, anyone viewing the source would have access to this information. The "version" field is just one of the required fields that must be sent to the vendor.
The alternative you mentioned is exactly what I was considering pending a non-feasible possibility using what I described; having the user data (credit card, name, etc) sent (POSTed) to another page where it would be processed in a more secure manner before sending to the 3rd party gateway along with the "secret" info for processing. I just haven't decided how or what language I would approach that with yet [unsure]
I'm not above considering a custom build but, like everyone now-days, do not have a big budget for this project. Can you give me an idea of how complex this might be in terms of time and I'll consult with my customer. I'd be happy to call and give more details.
Thanks!
Eric
Re: [eduran582] Hidding defined variables in POST
By aev - August 13, 2009
have you checked if your 3rd party vendor have any instructions or recommendations on how to use their gateway securely?
-aev-
Re: [aev] Hidding defined variables in POST
By eduran582 - August 13, 2009
The 3rd party vendor, nor their IT staff, are not very helpful and simply referred me to another entity that was using the same gateway I guess thinking I could just email them asking for help. The "Integration Guide" they send simply defines the variables required and what type of input is needed from the user and then in a short section states: "...simply construct a message as described in Section 2, and follow the transaction type requirements as outlined in tables in Section 7, and POST it to a <3rd party vendor> URL that is provided to you. The request should be POSTed as ....." Section 2 defines the all fields and section 7 defines the required fields.
Following their instructions would allow the user to see the required information I mentioned in my prior posts; not acceptable. So in a nutshell, no; the did not have any recommendations on how to use their gateway securely.
Thanks for asking.
Eric
Re: [eduran582] Hidding defined variables in POST
By aev - August 13, 2009
-aev-
Re: [aev] Hidding defined variables in POST
By eduran582 - August 13, 2009
Eric
Re: [eduran582] Hidding defined variables in POST
By Dave - August 14, 2009
If you can email me some details to dave@interactivetools.com I can give you some suggestions and options.
Hope that helps!
interactivetools.com