1

As we know, passing $_POST['foo'] is the safest one on php.
even we want to pass variable without the end user notice, we can use <input type='hidden'>,
but too bad, even user with basic knowledge can notice this by inspecting elements (chrome) or show source code and change the value.

is there any way to encrypt or hide this value, so i can pass this 'secretly' parameter to the action page? javascript perhaps?

Henry J
  • 344
  • 2
  • 4
  • 14

2 Answers2

5

If you want a value to be secret, don't let it leave the server to begin with. Store secret values on the server only and give the client some token that lets him refer to the value without actually giving the value itself away.

The classic and most used example of this is a session, in which the user receives only a meaningless session id and all data associated with that session id is stored server side.

deceze
  • 510,633
  • 85
  • 743
  • 889
  • oh, that's the way it goes.. we save the value of some variables on database? like retrieve token to get some value? thank you! – Henry J Jul 02 '13 at 15:00
1

You can submit the form using HTTPS to prevent anyone else from seeing the traffic.

To prevent your user from seeing it, you could encode the value using JavaScript. For example, using AES encryption or a simple base64 conversion. Of course, you will need corresponding code on the PHP side to decode the value. I am not sure this is the best overall approach though, since a savvy user could still read your JavaScript and figure out what is going on - as deceze wrote, any value that is submitted to the client is no longer secret.

Community
  • 1
  • 1
Justin Ethier
  • 131,333
  • 52
  • 229
  • 284
  • that's what i thought, when javascript loads, i give everything to them tough... anyway, thanks! – Henry J Jul 02 '13 at 14:59