-3

I have form in which I have two hidden fields. I want to secure the data in hidden fields so that no one can see it through page source and fire bug. I alreday used session and it's working but I cant use that. I need altrnative to It please help.

<form name="android" method="post" action="http://apps.createcoolapps.com/c2dm_send.ashx" target="_blank" onSubmit="return valid();">
<table align="center">  
<?php $qry_id=mysql_query("select * from users where u_name='$_SESSION[u_name]'");
                    while($id_fetch=mysql_fetch_assoc($qry_id)){
            ?>

      <input type="hidden" name="publisherid" value="createcoolapps" />
<input type="hidden" name="username" value="<?php echo $query_id[manager_uname];?>" />
<input type="hidden" name="pass" value="<?php echo $query_id[manager_pass];?>" />
    <tr align="center">
    <td style="width: 100px; font-family: Helvetica,Arial,sans-serif; font-weight: bold;">Select Appid:<br>
      <select name="appid" style="border-style:hidden">
    <option value="">Select any one</option>
    <option value="QRScanner">app1</option>
    <option value="app3">app3</option>
    <option value="app4">app4</option>
    </select>
    </tr> 
    <tr align="center">
    <td style="width: 100px; font-family: Helvetica,Arial,sans-serif; font-weight: bold;">Notification Message:<br>
      <textarea name="pushmessage" style="width: 300px;"></textarea><br />
    </tr>
    <?php }?>
Kasyx
  • 3,170
  • 21
  • 32
gss
  • 63
  • 1
  • 2
  • 11
  • If you are going to have it as a hidden field it will be accessible via the browser/client. So you need to use sessions, OR you can encrypt it so the encrypted data is shown instead. – kittycat Apr 20 '13 at 07:12
  • Printing user's password to the page is not a good idea. Actually doing things with user's password is not a good idea at all. – draconis Apr 20 '13 at 07:19
  • ya i know but if i am using sessions and not using echo it doesnt workss – gss Apr 20 '13 at 07:26
  • Do not ask the same question again regarding the same issue. You should modify your [original question](http://stackoverflow.com/questions/16001849/how-to-hide-values-in-hidden-fields) to add additional information. – kittycat Apr 20 '13 at 07:31
  • Possible duplicate: http://stackoverflow.com/questions/16001849/how-to-hide-values-in-hidden-fields – kittycat Apr 20 '13 at 07:32
  • can u plz help me solving that problem... – gss Apr 20 '13 at 07:33
  • [Please, don't use `mysql_*` functions](http://stackoverflow.com/q/12859942/1190388) in new code. They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). See the red box? Learn about prepared statements instead, and use [tag:PDO] or [tag:MySQLi]. – hjpotter92 Apr 20 '13 at 09:30
  • hey thnxx......and one more help i need as i am passing the data to another page ...but i aslo want to store it in database – gss Apr 20 '13 at 10:31

2 Answers2

3

This is not possible. Firebug just reads the DOM in it's actual state, so even if it's added in a later stage, it can still be retrieved.

This way of security is called Security through obscurity and is a kind of non-security. You would have to solve it another way, like letting the server do the request in stead.

You let the user submit the form to the server. Then with curl, you make the call to the webservice with the correct user code.

For further info Best way to hide a form input field from being accessed using firebug?

Community
  • 1
  • 1
Zeshan
  • 67
  • 6
0

Hidden field and secure?Not possible. Session and server side code is secure. You can do encryption and decryption. But that may be broken. Use database with session to handle data.

web2students.com
  • 307
  • 2
  • 16
  • 1
    ya i tried it using sessions...it works, it doesn't show values in page source ..but when i submit its says session expired in the page where i am redirecting it http://apps.createcoolapps.com/c2dm_send.ashx – gss Apr 20 '13 at 07:17