Welcome to WebmasterWorld Guest from 220.127.116.11
Forum Moderators: open
Now, I've reconstructed the login form, hidden the fields, including the checkbox, and this would allow the customers to log in w/ a click of a button. Obviously, if a customer knew better, they could get the password by viewing the code...
Is there a way to hide that password further? I'll be coding it in HTML or PHP (header & footer includes).
In that case I'd create a algo to encrypt the password when visible to customer and then post the form back to secondary page that will decrypt the pass with a key and then redirect upon success to the wholesaler. Not really a great solution, but I don't understand why the wholesaler wouldn't have a system in place to solve this issue.
1. B & M retailer has an account with wholesaler that is protected on the wholesaler's site by a login name and password.
2. Your solution allows this password to be exposed via a plain text hidden field in a form for the convenience of the customer, then when the customer submits it auto-logs in to the wholesaler site.
Is this correct?
If you expect that a hidden field is some sort of protection this is a VERY BAD IDEA. It' a foolish assumption to hope that only unaware customers will use your page. Remember rule one of forms: any input is a potential hack, including HIDDEN input.
Additionally it's taking the customer off-site by posting to the wholesaler's site, correct?
Here is how I would do this, and I would *only* do so on a secure SSL encrypted site:
1. Your customer form posts the requested items to a script on your server.
2. This script gets the login name and this password from an encrypted file or decrypts it from a database. It is now held only in memory.
3. Uising the command line program curl your script posts the login info and form data to the wholesaler's server. In case you don't know, curl posts to a url and the returned result is just as if you'd posted a form and it's data somewhere.
4. Based on the result you return a page to the browser, and you have the added bonus of the customer never having left your site.
curl will work in any language on a linux server. something like (perl below)
$result = `curl -d [login=somename&pass=pass&itemname=Blue%20Widgets] 'http://wholesaleexample.com'`;
And $result has the response from the server, it will be output like an html page.
Form -> script, script assembles variables -> curls URL -> parses result -> returns response to browser. All one process, nothing exposed to browser.