...

View Full Version : Resolved Securer way than hidden data in forms?



ruletka
09-17-2011, 12:39 PM
I have an explore script. A character comes along and wants to trade with you.
So anyways the hidden data is the trader's id.
So

echo ' <form action="post">
<input type="hidden" name="traderid" value="'.$tid.'">
<input type="submit" name="trading" value="Trade">
</form> ';


thats what the form looks like.
With firefox's page editor add-ons, someone can change the id of the trader. Is there a secure way to pass this information?

myfayt
09-17-2011, 01:41 PM
There is a firefox add on for that? Very interesting... do you know the name of it?

ruletka
09-17-2011, 02:01 PM
There's a few.
Search results of it (https://addons.mozilla.org/en-US/firefox/search/?q=edit+page&cat=all)
Firebug and page hacker are popular ones.
I just now browsed upon cookie editor addons too..but I believe the sessions are hashed so its not too vulnerable
Edit cookies search (https://addons.mozilla.org/en-US/firefox/search/?q=edit+session&cat=all&x=0&y=0)
>.> I wonder if anything is safe with all these addons

tangoforce
09-17-2011, 03:30 PM
Use sessions and / or a database.

Hidden fields should only be used for things which aren't of great significance if the user changes it for whatever reason. Also you should always check the input is what you expect when the data is submitted.

ruletka
09-18-2011, 12:38 AM
So should the session be made, and put into the form, then decoded? or is that unsafe.

M1Creative
09-18-2011, 05:20 AM
How did you resolve it?

oracleguy
09-18-2011, 06:44 AM
So should the session be made, and put into the form, then decoded? or is that unsafe.
No look up using session variables in PHP. You won't need to put in any extra data into the form.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum