Welcome to WebmasterWorld Guest from

Forum Moderators: open

Message Too Old, No Replies

Hiding password in prefilled hidden form fields?

5:39 pm on Jun 7, 2007 (gmt 0)

Junior Member

10+ Year Member

joined:July 2, 2005
votes: 0

I'm building a site for a B&M retailer who wants their customers to be able to place orders (requests) online for items that would be shipped to the store. The wholesaler has a site for the retail owner to access to place their orders. The wholesaler's site also has an option (checkbox) to allow the B&M store to have a computer for customers to make their requests. That option removes the wholesale prices and admin functions.

Now, I've reconstructed the login form, hidden the fields, including the checkbox, and this would allow the customers to log in w/ a click of a button. Obviously, if a customer knew better, they could get the password by viewing the code...

Is there a way to hide that password further? I'll be coding it in HTML or PHP (header & footer includes).

Thanks :)

11:28 pm on June 7, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 18, 2007
votes: 0

I don't really understand the situation at all...

[edited by: Xapti at 11:31 pm (utc) on June 7, 2007]

1:39 pm on June 8, 2007 (gmt 0)

Preferred Member

10+ Year Member

joined:Jan 19, 2004
votes: 0

It seems like the wholesaler should have a solution for this.... like an algo & key that you can use when passing the hidden pass field. Unless, of course, what you are doing is not the intended use of the system.

In that case I'd create a algo to encrypt the password when visible to customer and then post the form back to secondary page that will decrypt the pass with a key and then redirect upon success to the wholesaler. Not really a great solution, but I don't understand why the wholesaler wouldn't have a system in place to solve this issue.

2:52 pm on June 8, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 28, 2004
votes: 0

Let me get this correct -

1. B & M retailer has an account with wholesaler that is protected on the wholesaler's site by a login name and password.

2. Your solution allows this password to be exposed via a plain text hidden field in a form for the convenience of the customer, then when the customer submits it auto-logs in to the wholesaler site.

Is this correct?

If you expect that a hidden field is some sort of protection this is a VERY BAD IDEA. It' a foolish assumption to hope that only unaware customers will use your page. Remember rule one of forms: any input is a potential hack, including HIDDEN input.

Additionally it's taking the customer off-site by posting to the wholesaler's site, correct?

Here is how I would do this, and I would *only* do so on a secure SSL encrypted site:

1. Your customer form posts the requested items to a script on your server.

2. This script gets the login name and this password from an encrypted file or decrypts it from a database. It is now held only in memory.

3. Uising the command line program curl your script posts the login info and form data to the wholesaler's server. In case you don't know, curl posts to a url and the returned result is just as if you'd posted a form and it's data somewhere.

4. Based on the result you return a page to the browser, and you have the added bonus of the customer never having left your site.

curl will work in any language on a linux server. something like (perl below)

$result = `curl -d [login=somename&pass=pass&itemname=Blue%20Widgets] 'http://wholesaleexample.com'`;

And $result has the response from the server, it will be output like an html page.

Form -> script, script assembles variables -> curls URL -> parses result -> returns response to browser. All one process, nothing exposed to browser.