[thelist] Hidden Fields

Palyne Gaenir palyne at sciencehorizon.com
Thu Jul 13 11:46:30 CDT 2000


One tiny clarification to a post I made earlier, I'd said:

> I use hidden fields when for security reasons I don't want to pass
> values on the URL.  

As someone else pointed out, this is NOT secure, people can get the 
values from viewing source.  I actually meant something else -- I 
always keep delete templates as a separate file, and for creation 
speed reasons, each file that contains all templates for one table 
are in a single admin.cfm file, the delete always being admindel.cfm. 
I once had a client with access to the server delete an admindel file 
by mistake, and re-upload it -- but to the WRONG directory -- and so 
while it took him 2 weeks to figure out why his delete function 
looked fine but wasn't working on one table, he was deleting massive 
amounts of data from a different table (sigh!).  

There are other ways to prevent this of course (including putting the 
delete function back in the multi-template file).  But, now I use a 
hidden field that I put a long semi-random string of alphanum in, and 
it's different for each admin-admindel combo.  So there is no chance 
that a file moved or copied to the wrong directory could use the 
delete file there, as the validation checks that, nor is there any 
chance that just calling the admindel file in the browser without 
proper field value would run it.  This is long and boring but I just 
wanted to explain.  You shouldn't put anything you need to "hide" 
from the public in a hidden field, as it's not hidden at all in the 
code.

Palyne




More information about the thelist mailing list