Html Hidden Input Shouldn't Be Editable

I just discovered a bug which I couldn't find any solution of, I would like your advise on that. Issue is there are a few hidden input types, which are there to store ID's of alrea

Solution 1:

Rule of Web Development #1: Never trust the client

Rule of Web Development #2: Never trust the client

Rule of Web Development #3: You can't make the client trustworthy

If the user shouldn't be able to edit it, never give it to them.

As others have said, there are a few ways to handle the situation. The most common is to use a SESSION variable on the server, available almost everywhere.

Store the "secret" values on the SESSION. They will be available when the user posts back.

Solution 2:

You cannot control what data users put in HTTP requests to your server.

Instead, use authentication and authorization, on the server, when the request is received, to make sure that the user is allowed to submit the values they submit.

Solution 3:

If you're wanting to keep track of data from one page to another I would use sessions. This is data that is tracked on the server.

//page one.php$_SESSION['id'] = 22;

//page two.phpecho$_SESSION['id']; //22

Solution 4:

This is a basic functionality of how browsers work - essentially someone could POST data pretending to be your form with whatever values they wanted in the fields - or even add extra fields.

If it's a problem consider moving that data from hidden fields to session variables.

Solution 5:

If it's important for your hidden fields to be secure, don't contain them on the client-side. Client side variables are pretty easy to modify.

You should probably store them in your session, so they're not outputted to the client. If they're required on the page, use AJAX to grab them instead.

It kinda depends on the domain of your application, if it's in-house software then I wouldn't worry about it particularly.