|
PHP - Securing 'hidden' Form Values
If I store a value in a hidden form control, and then use that as a means to pass the value to another PHP script, could that cause any security issues?
Similar TutorialsHello, My question is how to send values over and over without using forms or even hidden forums. I have tried to use sessions but it didn't work out for me. Any suggestions! So, I have a checkbox, like so: (uci is an ID number) <input type='checkbox' name='cars[]' value='".$row['uci']."' /> That is passed to the next page via the form. However I need to pass the id numbers again, through to a third and final page. Currently I'm trying to do it through hidden inputs, but all I get returned to me is the word, "Array". This is the second page, displaying the data it recieves from the checkbox on the first page and attempting to send it through to the third page via a hidden input. $ids = $_POST['cars']; ... Displays data here... ... <form action='step_3.php' method='POST'> <input type='hidden' name='cars' value='$ids' /> <input type='submit' name='submit' value='Final Step' /> </form> I also tried <input type='hidden' name='cars' value='".$_POST['cars']."' /> but that didn't work either. This is what I'm using to display the data on the final page, as a check to make sure it's working (this is where I'm just getting the word, "Array"): echo"Car Id's: ".$_POST['cars']."<br />"; So, I guess my question is how do I pass the multiple options checked on the first page through more than one page? It works fine displaying the data on the second page, however when I try to display it again on the third page via the hidden input, it doesn't work. I have created a form which allows people to add data to a database. However, I want to replicate the form across several pages and give each page a category. For example, if I have a website based on sport. I have a page which enters information into the baseball category, a page which enters information into the ice hockey category, a page which enters information into the soccer category etc. Can someone advise how I would do this? Hey all, i have a little problem. I have a form, and when submitting, i need to use the ID that i put in the $_GET array earlier. When you're entering my site, and clicks a certain link, the $_GET will store show=1, and when you're submitting the form on the page, the value of 'show' is needed on the redirect page.. I thought that it would be smart to transfer it with a hidden textfield, but somehow it fails? <form id="comment-form" action="comment_profile.php" method="POST"> <fieldset> <div class="field"> <textarea name="comment-field" rows="2" cols="66"></textarea> <input type="hidden" name="pofileid-field" value="<?php echo $_GET['show']; ?>" /> // <--- Here is the hidden field. <input type="submit" name="submit-field" class="submit" value=""/><i> (HTML tags kan bruges)</i> </div> </fieldset> </form> Above you can see a piece of my code, and i marked the hidden field aswell. What i do not understand is, why isn't the hidden fields value return the value of show when i check in comment_profile.php, as that is where it returns? Thanks in advance -Niixie This is just a snippet of my code. The php script itself is called test.php and so it calls itself once the form is submitted. I keep having problems retrieving the data back correctly; I am testing in retrieving the data on the same script from the same page before retrieving the POST data from another webpage. If $decimalSum is a variable that assigns a value that is hard-coded then I would be able to retrieve the same value. However, if the value is computed I can not retrieve it unless I click on the "Find" button twice. This is such a strange behavior and I don't know why. Does anyone have any suggested solutions to this? <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title></title> </head> <body> <?php echo '<form enctype="multipart/form-data" method="post" action="test.php">'; echo ' <label for="_firstName">First name : </label>'; echo ' <input type="text" id="_firstName" name ="_firstName">'; echo ' <input type="checkbox" value="1" name="_firstNameChecked"/>'; echo ' <label for="_middleName">Middle name : </label>'; echo ' <input type="text" id="_middleName" name ="_middleName">'; echo ' <input type="checkbox" value="1" name="_middleNameChecked" />'; echo ' <label for="_lastName">Last name : </label>'; echo ' <input type="text" id="_lastName" name ="_lastName">'; echo ' <input type="checkbox" value="1" name="_lastNameChecked" />'; echo '<br />'; echo '<input type="submit" name="Find" value="Find" />'; $firstNameChecked = intval(($_POST['_firstNameChecked'])); $middleNameChecked = intval(($_POST['_middleNameChecked'])); $lastNameChecked = intval(($_POST['_lastNameChecked'])); $decimalSum = (int)((2*2*2)*$firstNameChecked + (2*2)*$middleNameChecked + (2*1)*$lastNameChecked); //$decimalSum = 28; echo '<br />'; echo '$decimalSum = ' . $decimalSum . '<br />'; echo '<input type="hidden" name="_decimalSum" value = "' . $decimalSum . '" />'; $decimalSum2 = ($_POST['_decimalSum']); echo '$decimalSum2 = ' . $decimalSum2 . '<br />'; echo '</form>'; echo '</body>'; echo '</html>'; ?> Is there anything wrong (or insecure) with using hidden form fields? I am working on a page where the user can choose one of 4 different subscription options. The approach I was going to use is to have a separate form for each plan, and when the user chooses one, submit a hidden form value so my script knows which subscription plan to grab out of the database. Thoughts? Hi I've got a form that users enter an identification pin in for their first question as well as clicking a radio button(Q1.php) . They click submit and the answers are put through a couple of multiplication function and then placed in a table (alongside the pin) via Q2.php. On the Q2 page I want to place the 2nd question that the user needs to answer. Rather than making them retype the pin I was hoping to process it as a hidden field - being picked up from their Q1.php entry. This 'hidden pin echo ' process will continue throughout Q2- Q10 pages. However - I can't seem to include any php in the page after the Q1 form has been processed. Have I got my php tags messed up? <?php $con = mysql_connect("localhost","ca","d"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("candango", $con); $q1 =$_POST['q1']; $pin =$_POST['pin']; $ans1 = $q1 * 3; $ans2 = $q1 * 5; $ans3 = $q1 * 2; $enter_sql= "INSERT INTO aapcm2 (pin,ans1, ans2, ans3) VALUES ('$pin','$ans1','$ans2','$ans3')"; $enter_query =mysql_query($enter_sql) or die (mysql_error()); ?> <body> <p>Thank you - You have successfully entered your answers.</p><form action="q2.php" method="post"> <p>What do you think the answer to this one is? <input type="radio" name="q2" id="q2" value="-3"> <label for="q2"></label> <input name="Hidden" type="hidden" id="Hidden" value="$pin" /></p> <p> <input type="submit" name="button" id="button" value="Submit"> </p> </form> <p></p> </body> Here's my PHP form code: Code: [Select] <form method='POST' action="<?php basename($_SERVER['PHP_SELF']);?>" onSubmit="return stripInputBoxes(1)"> <?php echo "<div id = 'purchaseOrderRow1' style = 'display:none;border: 1px solid black;'>"; echo $integrityBuildingProductsPDF; echo '<input type = "hidden" id = "pdf1" value = "" name = "pdf1" />'; echo '<button name = "savePurchaseOrder" type = "submit">Save Purchase Order</button>'; echo "</div>"; ?> </form> Here's my Javascript: Code: [Select] function stripInputBoxes(pdfNumber) { if (!document.getElementsByTagName) return; for (i = 0; i < document.getElementById('tableBody').getElementsByTagName('tr').length - 3; i++) { document.getElementById(i).parentNode.innerHTML = document.getElementById(i).value; } document.getElementById("pdf" + pdfNumber).value = "ljkasdkljf"; return true; } Will this set the value of the hidden variable? I'm trying to echo the value of $_POST['pdf1'] but it comes out to nothing when the page reloads. How do I do this? What I'm trying to do here is display a purchase order on the screen and the user can edit the quantities in the purchase order. They click SAVE to save the new updated quantities and it auto generates a PDF that's saved on the server with those new quantities. The problem is I need to run the stripInputBoxes function to take the <input> tags out of the HTML code before creating the PDF because the PDF generator doesn't recognize the tags. Can someone please tell me what I am doing wrong here? For some reason, the variable doess not seem to be getting passed to the "action" php script this input is in my html form (action=post)... <input type="hidden" name="httpreferer" value="<?php echo $_SERVER['HTTP_REFERER'] ?>" /> this is in the action script... $httpreferer=$_POST['httpreferer']; echo $httpreferer; I posted this in the CSS forum with no success. Hello all! I have been trying for days to get HTML purifier to filter my CSS, with no prevail at all. Do you guys recommend any certain way to filter user inputted CSS style sheets? Any filter to use? Hey, I'm wondering how to secure my unsubscribe link. Currently the link looks something like this delete.php?id=6 the number is the field id of the email address. However when if someone then changed the to delete.php?id=5 then the email address with the id 5 would be deleted. I have tried doing an MD5 but it doesn't seem to work. Any ideas I've been trying all day. Hello,
I am quite new to the php and website scene and i am trying to find the best way to validate and sterilize my $_post the way i have come up with is
$id = filter_var(mysql_real_escape_string($_POST['id']),FILTER_SANITIZE_NUMBER_INT);or $id = mysql_real_escape_string($_POST['id']); $id1 = filter_var($id,FILTER_SANITIZE_NUMBER_INT);which will be the best way to do it or is there a better way. Thanks Edited by AdamHull12, 04 October 2014 - 11:15 AM. Hello, I'm writing an application that will have to interact with my webserver and it will be using php to input data into the database and retrieve from as well. However, I'm not sure what is the best approach on securing my database from people sniffing while using my application. The only thing that I can do that is coming to mind is try to use a unique key as a password and have one of my GET vars be that password, but that is easily sniff-able. What can I do to secure my database and prevent people from filling up my databases if they sniff out my password key? Is there any kind of encryption I can use that will defeat this? Hello everyone, this is my first post. This isn't just a simple post and leave, I'm looking to expand into this community and learn as much as I can. Well on to the problem at hand! I decided to start with something simple as a login page and now want to expand it to make it fully functional. Code: (index.html) [Select] <html> <head> <title>Deadnode.com</title> <LINK href="style.css" rel="stylesheet" type="text/css"> </head> <body> <div style=width:150px;height:80px;position:absolute;left:40%;top:35%; margin-left:-135px;margin-top:-50px;"> <div class="sidebox"> <div class="boxhead"><h2>Login Required</h2></div> <div class="boxbody"> <form method="post" action="check.php"> <center><table> <tr><td><font face="verdana,arial" size=-1>User:</td><td><input type="text" name="user"></td></tr> <tr><td><font face="verdana,arial" size=-1>Pass:</td><td><input type="text" name="pwd"></td></tr> <tr><td><font face="verdana,arial" size=-1> </td><td><font face="verdana,arial" size=-1><input type="submit" value="Login"></td></tr> </table></center> </form> </div> </div> </body> </html> Code: (function.php) [Select] <?php function check() { $admin="test"; $pass="test"; if ( $_POST["user"] == $admin & $_POST["pwd"] == $pass) { header('Location: output.php'); } else { header('Location: index.html'); } } ?> Code: (check.php) [Select] <?php require('function.php'); check(); ?> This is just the code in it originally form; completely functional. I tried to use start_session() in my check() function. I know I should be using cookies, but I haven't gotten that far yet. Is it possible to use my check function as a way to block pages? I tried inserting the same code that is in check.php onto a html page, but I've had no luck with it redirecting back to my index.html page. I was told that my login page could easily be manipulated to set themselves as my username (Mod Justin), giving them powers. How can I further secure my website's use of cookies? Quote I just visited your site as you - Mod Justin, simply by setting a 'user' cookie for your domain with your username in it. Your login code is NOT effective at stopping anyone or any bot script from impersonating any of the users, even impersonating you. My login code: http://pastebin.com/cBLybGKq Any possible solution to this? Hey everyone, I am trying to secure php includes and I wrote the following lines: Code: [Select] <?php $dir=scandir('.'); if (in_array('copyright.php',$dir)) { include('copyright.php'); } else { echo 'That page could not be found'; } ?> Is this code secure enough, can anyone help me improve it? Thanks in advance. Hey everyone, I am new to PHP and I want to learn how to secure a PHP session properly. I wrote a few lines, but I don't know if it's secure enough. Code: [Select] <?php session_start(); if (isset($_SESSION['exists'])) { if ($agent != $_SERVER['HTTP_USER_AGENT']) { session_unset(); session_destroy(); session_regenerate_id(True); } } else { $_SESSION['exists']=1; $agent=$_SERVER['HTTP_USER_AGENT']; session_regenerate_id(); } ?> Can anybody help me correct or improve my code? Thanks in advance. I've just gotten back into re learning web development, I have created a contact form however my server is forcing me to use SMTP which will require me to have a config include with my details inside. How do I ensure nobody can open the files in the browser? I have heard of putting the files outside of the webroot or using htaccess files however the passive aggressive answers I got from stack over flow didn't tell me HOW to implement them. The files are Form.HTML Bin/config.php Bin/mail.php Any help is appreciated. I am building an e-commerce site and have a security question. My Payment Gateway has given me "Log-In ID" and "Transaction Key" that I use to log in to their server to submit payments. What is a *reasonable* way to protect this information? I have a VPS with root access, although I'm relying on using sFTP and the Plesk Control Panel since I don't know SSH yet. Can I just store my "Log-In ID" and "Transaction Key" in a php file outside of my Web Root and include it? Would that be secure enough for now? Thanks, Debbie |
|||||||