Hidding defined variables in POST

8 posts by 4 authors in: Forums > CMS Builder
Last Post: August 14, 2009   (RSS)

By eduran582 - August 13, 2009

Hello all,

I'm trying to figure out a way to hide some pre-defined variables (about 8) that will be included in a POST to another form. There will also be user input posted as well which will be included in the POST but does not need to be hidden when POSTed.

Example: one of the pre-defined variables that MUST be hidden will be "version" with a value of "1.0" and will be the first variable in the information sent in the POST when submitted. If I put it in the form itself (<input type="hidden" name="version" value="1.0!" />) anyone viewing the source will see the value of 'version'. If I can figure out a way to do that in php, it will not show up when viewed in the source.

Any suggestions?

TIA! [:)]

Eric

Re: [chris] Hidding defined variables in POST

By eduran582 - August 13, 2009

Hi Chris,

Thanks for replying. The reason for the "secrecy" is in the form being used; it will be used to make a payment to a 3rd party vendor gateway and the 'secret' fields consist of various information like terminal ID, terminal password, etc. As you can see, if I used the "hidden" form field approach, anyone viewing the source would have access to this information. The "version" field is just one of the required fields that must be sent to the vendor.

The alternative you mentioned is exactly what I was considering pending a non-feasible possibility using what I described; having the user data (credit card, name, etc) sent (POSTed) to another page where it would be processed in a more secure manner before sending to the 3rd party gateway along with the "secret" info for processing. I just haven't decided how or what language I would approach that with yet [unsure]

I'm not above considering a custom build but, like everyone now-days, do not have a big budget for this project. Can you give me an idea of how complex this might be in terms of time and I'll consult with my customer. I'd be happy to call and give more details.

Thanks!

Eric

Re: [eduran582] Hidding defined variables in POST

By aev - August 13, 2009

Hi,

have you checked if your 3rd party vendor have any instructions or recommendations on how to use their gateway securely?

-aev-

Re: [aev] Hidding defined variables in POST

By eduran582 - August 13, 2009

Hi aev,

The 3rd party vendor, nor their IT staff, are not very helpful and simply referred me to another entity that was using the same gateway I guess thinking I could just email them asking for help. The "Integration Guide" they send simply defines the variables required and what type of input is needed from the user and then in a short section states: "...simply construct a message as described in Section 2, and follow the transaction type requirements as outlined in tables in Section 7, and POST it to a <3rd party vendor> URL that is provided to you. The request should be POSTed as ....." Section 2 defines the all fields and section 7 defines the required fields.

Following their instructions would allow the user to see the required information I mentioned in my prior posts; not acceptable. So in a nutshell, no; the did not have any recommendations on how to use their gateway securely.

Thanks for asking.

Eric

Re: [eduran582] Hidding defined variables in POST

By aev - August 13, 2009

Maybe not an option.. could you simply use another 3rd party vendor providing better support?

-aev-

Re: [aev] Hidding defined variables in POST

By eduran582 - August 13, 2009

HAHAHAHA! [;)] I wish! Unfortunatly, the customer specified this vendor which I think they have a contract with anyway. Heck, I suggested PayPal which I use and have had no problems. Oh well,...

Eric

Re: [eduran582] Hidding defined variables in POST

By Dave - August 14, 2009

Hi Eric,

If you can email me some details to dave@interactivetools.com I can give you some suggestions and options.

Hope that helps!
Dave Edis - Senior Developer
interactivetools.com