Using Server Side Scripting To Hide A Form Field's Value

Forum Moderators: coopster

Message Too Old, No Replies

Using Server Side Scripting To Hide A Form Field's Value

would rather not use the hidden attribute in an html form

imtrypin

5:17 am on Oct 11, 2007 (gmt 0)

Howdy folks,

I was wondering if there was any way to use PHP to insert constant values into a form? Basically I want to stay away from using an html form with a hidden attribute to the input tag.

Let's say my constant value is 55.21. This value has to be included in the form when it gets processed but I don't want anybody to be able to View Source, or download the page and then View Source (which wipes out the whole slew of Right Click Disable scripts.

Any help is greatly appreciated.

Thanx in advance.

Habtom

5:22 am on Oct 11, 2007 (gmt 0)

Let's say my constant value is 55.21

How about setting it as a constant in the PHP code itself.
define("MYVALUE", 100);

And later use it in the insert statement, or any PHP code you have.

INSERT INTO . . . . VALUES(. . . . , ". MYVALUE .")

imtrypin

5:41 am on Oct 11, 2007 (gmt 0)

I might have said that wrong.

I'm not wanting to insert the constant value into a table but rather into a form. My concern is this I have about five different values that need to passed through the form but I do not want those value to be displayed so normally you'd use (in html):

However, when you do this the user can see the value that you want hidden by right clicking on the page and choosing View Source. If I add a No Right Click script then they can still use the keyboard to view the source. So I've included this statement in my code (html):

<body oncontextmenu="return false;"

This stops the keyboard as well as right mouse button from Viewing Source. However, if a person uses the browser menu and chooses Save As, then opens the page in an editor or even Notepad for that matter my constant values that I am wanting to keep hidden are there for the user to see.

What I am actually wondering about is whether or not there is a way to hide these values and still pass them to the action page of the form?

Habtom

5:56 am on Oct 11, 2007 (gmt 0)

If there doesn't seem to be an easier solution, you can store them in SESSION [php.net] or COOKIES [php.net]

imtrypin

6:12 am on Oct 11, 2007 (gmt 0)

Wouldn't that be the same as:

Which once parsed places the actual value of var2 into the input line? Which is then visable by viewing the source of the page?

adb64

6:27 am on Oct 11, 2007 (gmt 0)

Something I've used in the past for something similar like you want is to put all (5 in your case) values in a structure, serialize it and do a base64 encoding on that string and put the result of the base64 encoding as hidden value in the form. When processing the form, reverse the whole process:


class MyValues_t
{
 var $Var1;
 var $Var2;
 var $Var3;
 var $Var4;
 var $Var5;
}
$MySecretValues = new MyValues_t();
// 
// assignment of values in $mySecretValues
//
$HiddenString = [url=http://www.php.net/manual/en/function.base64-encode.php]base64_encode[/url]([url=http://www.php.net/manual/en/function.serialize.php]serialize[/url]($MySecretValues));
echo "<input type='hidden' name='myvalues' value='$HiddenString' />";

When processing the form use the following to get the values back


$MySecretValues = [url=http://www.php.net/manual/en/function.unserialize.php]unserialize[/url]([url=http://www.php.net/manual/en/function.base64-decode.php]base64_decode[/url]($_GET['myvalues']));

Of course, anyone knowing the process is able to decode, but you could mangle the string returned by the serialize function before doing the base64 encoding. Or add an md5 [php.net] hash to have more protection against someone tampering with the string.