[thelist] Hidden Fields
Palyne Gaenir
palyne at sciencehorizon.com
Thu Jul 13 11:46:30 CDT 2000
One tiny clarification to a post I made earlier, I'd said:
> I use hidden fields when for security reasons I don't want to pass
> values on the URL.
As someone else pointed out, this is NOT secure, people can get the
values from viewing source. I actually meant something else -- I
always keep delete templates as a separate file, and for creation
speed reasons, each file that contains all templates for one table
are in a single admin.cfm file, the delete always being admindel.cfm.
I once had a client with access to the server delete an admindel file
by mistake, and re-upload it -- but to the WRONG directory -- and so
while it took him 2 weeks to figure out why his delete function
looked fine but wasn't working on one table, he was deleting massive
amounts of data from a different table (sigh!).
There are other ways to prevent this of course (including putting the
delete function back in the multi-template file). But, now I use a
hidden field that I put a long semi-random string of alphanum in, and
it's different for each admin-admindel combo. So there is no chance
that a file moved or copied to the wrong directory could use the
delete file there, as the validation checks that, nor is there any
chance that just calling the admindel file in the browser without
proper field value would run it. This is long and boring but I just
wanted to explain. You shouldn't put anything you need to "hide"
from the public in a hidden field, as it's not hidden at all in the
code.
Palyne
More information about the thelist
mailing list