Protecting hidden field on HTML Form with PHP

imlek · #1 (**permalink**) 08-22-04, 02:10 AM

Hi,

I'm using HTML Form to send information of my visitors (Visitor submit this form directly) to destination.com as follow:

<form name="form1" action="http://destination.com/receiver" method="post">
<input type="hidden" name="Login" value="My-Username">
<input type="hidden" name="Passwd" value="My-password">
<input type="hidden" name="Cust" value="John Doe">
<input type="hidden" name="Total" value="100">
<input type="submit" value="Submit">
</form>

This HTML Form is the only method that destination.com can accept.

But this is very big security issue, since people can use 'View Source' and get my login and username.

How to protect my login and password from being viewable to the world but the form still work ? May be hide it somewhere? Or other method?

Please advice.

Thank you.

bugalyzer · #2 (**permalink**) 08-22-04, 09:19 AM

You should never create a form like this with the password hidden in it .. Simply create a login page which authenticates against the destination server and then set a cookie or session variable - or simply trust the information to begin with and send it to the destination site.

It looks like your trying to capture some user info before you send off the request for someone to pay for something correct? If this is the case - most online payment sites (paypal etc.) can send a confirmation email or http post which allows you to capture transaction information.

http://buildacom.com

imlek · #3 (**permalink**) 08-22-04, 11:01 PM

Thanks for all the advice guys.

Your advices clear my sky.