homepage Welcome to WebmasterWorld Guest from 54.227.171.163
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / HTML
Forum Library, Charter, Moderators: incrediBILL

HTML Forum

    
Hiding password in prefilled hidden form fields?
Celicaphile

5+ Year Member



 
Msg#: 3361257 posted 5:39 pm on Jun 7, 2007 (gmt 0)

I'm building a site for a B&M retailer who wants their customers to be able to place orders (requests) online for items that would be shipped to the store. The wholesaler has a site for the retail owner to access to place their orders. The wholesaler's site also has an option (checkbox) to allow the B&M store to have a computer for customers to make their requests. That option removes the wholesale prices and admin functions.

Now, I've reconstructed the login form, hidden the fields, including the checkbox, and this would allow the customers to log in w/ a click of a button. Obviously, if a customer knew better, they could get the password by viewing the code...

Is there a way to hide that password further? I'll be coding it in HTML or PHP (header & footer includes).

Thanks :)

 

Xapti

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 3361257 posted 11:28 pm on Jun 7, 2007 (gmt 0)

I don't really understand the situation at all...

[edited by: Xapti at 11:31 pm (utc) on June 7, 2007]

justgowithit

10+ Year Member



 
Msg#: 3361257 posted 1:39 pm on Jun 8, 2007 (gmt 0)

It seems like the wholesaler should have a solution for this.... like an algo & key that you can use when passing the hidden pass field. Unless, of course, what you are doing is not the intended use of the system.

In that case I'd create a algo to encrypt the password when visible to customer and then post the form back to secondary page that will decrypt the pass with a key and then redirect upon success to the wholesaler. Not really a great solution, but I don't understand why the wholesaler wouldn't have a system in place to solve this issue.

rocknbil

WebmasterWorld Senior Member rocknbil us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 3361257 posted 2:52 pm on Jun 8, 2007 (gmt 0)

Let me get this correct -

1. B & M retailer has an account with wholesaler that is protected on the wholesaler's site by a login name and password.

2. Your solution allows this password to be exposed via a plain text hidden field in a form for the convenience of the customer, then when the customer submits it auto-logs in to the wholesaler site.

Is this correct?

If you expect that a hidden field is some sort of protection this is a VERY BAD IDEA. It' a foolish assumption to hope that only unaware customers will use your page. Remember rule one of forms: any input is a potential hack, including HIDDEN input.

Additionally it's taking the customer off-site by posting to the wholesaler's site, correct?

Here is how I would do this, and I would *only* do so on a secure SSL encrypted site:

1. Your customer form posts the requested items to a script on your server.

2. This script gets the login name and this password from an encrypted file or decrypts it from a database. It is now held only in memory.

3. Uising the command line program curl your script posts the login info and form data to the wholesaler's server. In case you don't know, curl posts to a url and the returned result is just as if you'd posted a form and it's data somewhere.

4. Based on the result you return a page to the browser, and you have the added bonus of the customer never having left your site.

curl will work in any language on a linux server. something like (perl below)

$result = `curl -d [login=somename&pass=pass&itemname=Blue%20Widgets] 'http://wholesaleexample.com'`;

And $result has the response from the server, it will be output like an html page.

Form -> script, script assembles variables -> curls URL -> parses result -> returns response to browser. All one process, nothing exposed to browser.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / HTML
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved