|
Posted by Shelly on 01/24/08 14:16
On Jan 24, 8:24 am, Toby A Inkster <usenet200...@tobyinkster.co.uk>
wrote:
> Shelly wrote:
> > Why is this the problem?
>
> > <input type="hidden" value="<?php echo $securityCode; ?>"
> > name="securityHidden">
>
> The problem is twofold:
>
> 1. The security code might be in a hidden field, but the field can still
> be seen quite easily by viewing the source code to the page.
>
> 2. An even bigger problem: the client can change the contents of the
> securityHidden field -- change it to "" for instance.
>
Thank you all for your help. I changed the storage mechanism to a
session variable and removed the hidden field from the form. I now
check the typed in version against that session variable's contents.
That variable gets changed with each presentation of the form.
Hopefully that fixes the problem. Thanks again everyone.
Shelly
[Back to original message]
|