SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Enthusiast seezee's Avatar
    Join Date
    Jun 2010
    Location
    Oklahoma, USA
    Posts
    41
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    need to hide an input value, but variable rendering as string

    I'm working on integrating a payment solution for a client, and the payment processor requires the value of 2 of the mandatory form fields to be inaccessible via view > source. I've cooked up an elaborate scheme in which the initial page is a form that doesn't contain the 2 fields, just the basic customer info (name, contact, donation amount). The submit action posts to a form handler that:
    1. Using a PHP Include, connects to a database to retrieve the 'protected' form values, specified by the primary key
    2. Fetches an array containing the 2 values (using a while loop)
    3. Posts the info from the 1st form
    4. Builds a new form containing the info from the 1st form, to which the 2 required fields are appended, but with empty values
    5. The PHP Include then prints a link to a .js file
    6. JS inserts the variables (specified in the PHP Include) in the form values
    7. The PHP Include is supposed to read the 2 variables and replace them with the output of the fetched array
    8. A JS onLoad would then submit the form to the payment processor

    Other measures are also in place to keep the casual looker from seeing the output, but the main mechanism relies on this: if JavaScript is enabled, the 2nd form (the one with the goodies) submits before you have a chance to inspect the output or source code, or use a developer browser plugin to view it. If JavaScript is disabled, the variables never get inserted, thus the PHP doesn't write the output in the form values.

    The problem is, once the JS inserts the variables, the PHP include has already run, and doesn't replace the variables with the data from the fetched array.

    So question 1 is, how to get that working? I've tried breaking out the while loop and inserting it after the JavaScript; removing the JS document.ready, etc. but nothing seems to work.

    Question 2 is, does PHP have a way to determine if the requesting browser has JavaScript disabled, so I could write something like:
    PHP Code:
    if (!JavaScript){
    exit;
    }
    else {
    $includeJS '<script type="text/javascript" src="path/to/include.js"></script>';

    And of course, if you know a better way to protect form values, I want to hear it.

    Thanks,

  2. #2
    SitePoint Enthusiast TriLLi's Avatar
    Join Date
    Feb 2010
    Location
    BiH, Bugojno
    Posts
    86
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    If you are using PHP you should consider curl -> and submit data from php not from HTML, so your data will be protected.
    http://www.wiseblog.info
    Programmers don't die, they just GO SUB without return.

  3. #3
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,729
    Mentioned
    104 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by seezee View Post
    Other measures are also in place to keep the casual looker from seeing the output, but the main mechanism relies on this: if JavaScript is enabled, the 2nd form (the one with the goodies) submits before you have a chance to inspect the output or source code, or use a developer browser plugin to view it.
    There are plenty of ways for a user to find that sent information from their web browser.

    I suggest that you put up a public page that submits such goodies, so we can advise you on the developer plugins that reveal that info.

    Also, people can easily run web debugging proxies such as Charles that make it easy to view all of the transmitted data.

    Anyway, you'd do well to put up some test pages so that we can help you dig out any obvious issues.
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  4. #4
    SitePoint Enthusiast seezee's Avatar
    Join Date
    Jun 2010
    Location
    Oklahoma, USA
    Posts
    41
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Smile

    It turns out TriLLi's suggestion is the preferred way to go. I can't directly quote the payment gateway's docs due to the non-disclosure agreement I had to sign, but they are available on the web (see page 20 of the documentation). A reader on another forum kindly provided some sample code I was able to modify, so I'm close to being able to contact the gateway about a sandbox for testing my form.

    Thanks for the offer to help test this -- but since I'm abandoning the original method, it's moot. I still consider it a good problem solving exercise, even if it ultimately wouldn't be practical.

  5. #5
    SitePoint Enthusiast
    Join Date
    Aug 2010
    Posts
    29
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    1) Cann't you use sessions?

    2) explore get-browser()

  6. #6
    SitePoint Enthusiast seezee's Avatar
    Join Date
    Jun 2010
    Location
    Oklahoma, USA
    Posts
    41
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    1. Still learning how
    2. Thanks, I'll look into it


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •