[thelist] Hidden Fields

[Scott Dexter]

> This makes sense, but surely if you have fields in a form, 
> you want to use
> the information from whatever the user has input. This is what I don't
> understand.
> 
> >(e.g. if I have a directory with multiple topics, and an 
> "Add your Site"
> >link at the bottom of each, a hidden field might carry the 
> topic the data
> >should be entered into).
> 
> So, tell me if I have this right. If you clicked on a link, 
> say "Music", you
> would use a hidden field to hold the value "Music" so that any further
> interaction with the page, e.g. they had to fill out a form, 
> you would know
> it came from the "Music" page. Correct?

yeah kinda sorta, but don't assume that's the only reason--

say for example I have a form that has shipping information. Yeah I want the
user to fill it out, but I don't want the user to see that I have some
administrative information that I have to pass along with the form, whether
it be their name (they've filled it out previously and I'm not using cookies
or server side db to store), the department id they're coming from, or what
have you. Also take for example a timesheet. I might have a hidden field
that enumerates the days of the week that are possible to enter time for --a
cheap array storage (although this really isn't 'cheap' in the sense of
performance, but 'cheap' in that its easy to populate server side.
Anyway--), a hidden field that contains the page number they're on, or maybe
even a hidden field that is keeping track of the date they're filling out
time for.

All in all, they're for you the form processor to be able to persist data
across pages in addition to cookies.

(NOTE be careful about placing potentially sensitive information in hidden
form fields. The person can not only view source to see the values, but if
you don't write your form processing carefully they can forge the values
(using GET and changing the URL Query string))

that help?
sgd
--
thinksafely.org