Need to hide an input value, but variable rendering as string

I’m working on integrating a payment solution for a client, and the payment processor requires the value of 2 of the mandatory form fields to be inaccessible via view > source. I’ve cooked up an elaborate scheme in which the initial page is a form that doesn’t contain the 2 fields, just the basic customer info (name, contact, donation amount). The submit action posts to a form handler that:

[list=1][]Using a PHP Include, connects to a database to retrieve the ‘protected’ form values, specified by the primary key
]Fetches an array containing the 2 values (using a while loop)
[]Posts the info from the 1st form
]Builds a new form containing the info from the 1st form, to which the 2 required fields are appended, but with empty values
[]The PHP Include then prints a link to a .js file
]JS inserts the variables (specified in the PHP Include) in the form values
[]The PHP Include is supposed to read the 2 variables and replace them with the output of the fetched array
]A JS onLoad would then submit the form to the payment processor[/list]
Other measures are also in place to keep the casual looker from seeing the output, but the main mechanism relies on this: if JavaScript is enabled, the 2nd form (the one with the goodies) submits before you have a chance to inspect the output or source code, or use a developer browser plugin to view it. If JavaScript is disabled, the variables never get inserted, thus the PHP doesn’t write the output in the form values.

The problem is, once the JS inserts the variables, the PHP include has already run, and doesn’t replace the variables with the data from the fetched array.

So question 1 is, how to get that working? I’ve tried breaking out the while loop and inserting it after the JavaScript; removing the JS document.ready, etc. but nothing seems to work.

Question 2 is, does PHP have a way to determine if the requesting browser has JavaScript disabled, so I could write something like:

if (!JavaScript){
else {
$includeJS = '<script type="text/javascript" src="path/to/include.js"></script>';

And of course, if you know a better way to protect form values, I want to hear it.


  1. Still learning how
  2. Thanks, I’ll look into it

It turns out TriLLi’s suggestion is the preferred way to go. I can’t directly quote the payment gateway’s docs due to the non-disclosure agreement I had to sign, but they are available on the web (see page 20 of the documentation). A reader on another forum kindly [URL=“”]provided some sample code I was able to modify, so I’m close to being able to contact the gateway about a sandbox for testing my form.

Thanks for the offer to help test this – but since I’m abandoning the original method, it’s moot. I still consider it a good problem solving exercise, even if it ultimately wouldn’t be practical.

  1. Cann’t you use sessions?

  2. explore get-browser()

There are plenty of ways for a user to find that sent information from their web browser.

I suggest that you put up a public page that submits such goodies, so we can advise you on the developer plugins that reveal that info.

Also, people can easily run web debugging proxies such as Charles that make it easy to view all of the transmitted data.

Anyway, you’d do well to put up some test pages so that we can help you dig out any obvious issues.


If you are using PHP you should consider curl -> and submit data from php not from HTML, so your data will be protected.