forms and hidden elements

**phpman** · Oct 30th, 2002, 11:14 AM

ok this may sound stupid but bare with me or explain how it can't happen.

ok you have a user, they cruise to some site and look through the shopping cart and find what they want. now they go to sign up and the page the generates the form is for paypal.

what is stopping the user from coping that page and saving it to there hard drive and editing the hidden form elements and adjusting the price, or anything else for that matter, then send it along like nothing happened???

is there a way to hide the forms hidden elements? because some of the hidden elements are needed to complete the process of signing up through paypal.

**JoshT** · Oct 30th, 2002, 11:23 AM

No, the problem goes beyond just HTML. I have a VB program I wrote that can change any form field, hidden or not, on a page in any running instance of IE. And you can still just open a raw TCP connection to the web server and submit and arbitrary data you want anyway.

**phpman** · Oct 30th, 2002, 11:25 AM

so how is this safe? I can't believe that people really trust forms as much as they do. thanks Josh fo rthat insight, stay away from my site

j/k

**HairyDave** · Oct 30th, 2002, 11:27 AM

Do people use PHP or JSP or ASP to 'hide' the information from the user?

HD

**JoshT** · Oct 30th, 2002, 11:31 AM

Originally posted by phpman
so how is this safe? I can't believe that people really trust forms as much as they do. thanks Josh fo rthat insight, stay away from my site j/k

You assume all user supplied data is malicious until proven otherwise, thru regular expressions or some other means.

**phpman** · Oct 30th, 2002, 11:34 AM

HD, how do you hide a forms hidden element with serverside code? I don't believe you can.

so nothing is stopping a user from changing the amount of a product if the products amount is a hidden form value?

has to be another way.

**HairyDave** · Oct 30th, 2002, 11:39 AM

What I mean is that any JSP (I only really know JSP) code is hidden from the user - all they see is the actual output (HTML). Therefore info could be stored in the JSP then validated.

I dont know - I'm just throwing some ideas into the pot!

HD

**phpman** · Oct 30th, 2002, 11:50 AM

yeah but the froms elements can't be hidden like that.

I see what you are trying to say and I hope there is a way to do that.

and it is a good idea to throw stuff into the pot.

**HairyDave** · Oct 30th, 2002, 11:59 AM

Except for money which should be thrown into my pocket

Hidden form elements cannot be 'hidden' through JSP as they are HTML elements.

Surely there would be some server side validation anyway - database etc. Editing the price would then make no difference - the element ordered would have a database price - if you sent back a new price it would just use the 'global' price.

Wouldn't it be foolish to store all the information about a purchase on 1 page - items, price, user etc. Isn't that why you have to become a member of this sort of places - stored in db?

Again I really don't know how this works - but that's nothing new

HD

**phpman** · Oct 30th, 2002, 12:25 PM

well yeah sort of. there are somethings that paypal needs to be sent with the form and one of these is the price, or course you have to be a member and if it is a set price then no problem, but if the price varies then it could be altered.

Thread: forms and hidden elements

Thread Tools

Display

forms and hidden elements

Posting Permissions