Hidding defined variables in POST

8 posts by 4 authors in: Forums > CMS Builder
Last Post: August 14, 2009   (RSS)

Hello all,

I'm trying to figure out a way to hide some pre-defined variables (about 8) that will be included in a POST to another form. There will also be user input posted as well which will be included in the POST but does not need to be hidden when POSTed.

Example: one of the pre-defined variables that MUST be hidden will be "version" with a value of "1.0" and will be the first variable in the information sent in the POST when submitted. If I put it in the form itself (<input type="hidden" name="version" value="1.0!" />) anyone viewing the source will see the value of 'version'. If I can figure out a way to do that in php, it will not show up when viewed in the source.

Any suggestions?

TIA! [:)]

Eric

Re: [eduran582] Hidding defined variables in POST

By Chris - August 13, 2009

Hi eduran582,

This isn't possible without forwarding the request through your own program, which is not really a simple thing to do. To do this, you'd need the form to submit to your own custom web software, which would then turn around and make another request to the final page with the user's form data plus your extra secret data. There are a bunch of other things that might make this even more complicated (e.g. cookies.) We could custom build a solution for you through consulting. Let us know if you're interested in that.

However, there might be an alternative approach.

What exactly is it that you're trying to do? What are you posting to, and why is there danger in visitors seeing (and being able to change) the value of, for example, "version"?

Hope this helps!
All the best,
Chris

Re: [chris] Hidding defined variables in POST

Hi Chris,

Thanks for replying. The reason for the "secrecy" is in the form being used; it will be used to make a payment to a 3rd party vendor gateway and the 'secret' fields consist of various information like terminal ID, terminal password, etc. As you can see, if I used the "hidden" form field approach, anyone viewing the source would have access to this information. The "version" field is just one of the required fields that must be sent to the vendor.

The alternative you mentioned is exactly what I was considering pending a non-feasible possibility using what I described; having the user data (credit card, name, etc) sent (POSTed) to another page where it would be processed in a more secure manner before sending to the 3rd party gateway along with the "secret" info for processing. I just haven't decided how or what language I would approach that with yet [unsure]

I'm not above considering a custom build but, like everyone now-days, do not have a big budget for this project. Can you give me an idea of how complex this might be in terms of time and I'll consult with my customer. I'd be happy to call and give more details.

Thanks!

Eric

Re: [eduran582] Hidding defined variables in POST

By aev - August 13, 2009

Hi,

have you checked if your 3rd party vendor have any instructions or recommendations on how to use their gateway securely?

-aev-

Re: [aev] Hidding defined variables in POST

Hi aev,

The 3rd party vendor, nor their IT staff, are not very helpful and simply referred me to another entity that was using the same gateway I guess thinking I could just email them asking for help. The "Integration Guide" they send simply defines the variables required and what type of input is needed from the user and then in a short section states: "...simply construct a message as described in Section 2, and follow the transaction type requirements as outlined in tables in Section 7, and POST it to a <3rd party vendor> URL that is provided to you. The request should be POSTed as ....." Section 2 defines the all fields and section 7 defines the required fields.

Following their instructions would allow the user to see the required information I mentioned in my prior posts; not acceptable. So in a nutshell, no; the did not have any recommendations on how to use their gateway securely.

Thanks for asking.

Eric

Re: [eduran582] Hidding defined variables in POST

By aev - August 13, 2009

Maybe not an option.. could you simply use another 3rd party vendor providing better support?

-aev-

Re: [aev] Hidding defined variables in POST

HAHAHAHA! [;)] I wish! Unfortunatly, the customer specified this vendor which I think they have a contract with anyway. Heck, I suggested PayPal which I use and have had no problems. Oh well,...

Eric