Hidden fields are preferred to visible fields and far preferred to query string data, 
but hidden fields can still be modified. The user can save the form page on their 
desktop, modify the html source (and include the full http path in the form action) 
then use their browser to send the modified form on to the server. Do most people have 
that much time on their hands? Of course not. But it's still a risk. (As is a session 
hijack too.)

Why not create some HEAP tables that will work as session tables, and just insert the 
data into the HEAP tables, then when you're done, do an INSERT INTO...SELECT to take 
the data from the HEAP table and store it in the real table (then DELETE the entries 
from the temporary HEAP table)? That way you're not passing the data page to page, but 
storing it as you go.

Reply via email to