On Tue, Jun 02, 2009 at 03:49:03PM +0100, Tony Marston wrote:
> "Paul M Foster" <pa...@quillandmouse.com> wrote in message
> > On Tue, Jun 02, 2009 at 02:50:36PM +1000, Angus Mann wrote:
> I would advise against this as hidden fields in forms are NOT in fact
> invisible. The user can see what is there simply by using the browser's
> "View Source" button. It is even possible for the user to copy the the form,
> change the variables and submit it with different data. How much of a
> security breach could that be? I use session data for everything so that
> nothing is exposed on the client that does not need to be.
The point of using hidden fields is just to track the state of an
application from invocation to invocation. It wouldn't/doesn't matter if
the user can see this or not when they view source.
Here's an example: an invoicing application. At the first screen, you
select a customer. The controller/model brings in their name, invoice
terms, method of payment, etc. This is used in the next screen, when I
enter the invoice header information, some of which is determined by the
results of fetching the customer data. Since this application
encompasses about four screens, by the third screen, you're going to
want to save and get back some of the data you got from that first
screen, without having to query the database again. The simplest way to
do this is just to store it in hidden variables along the way. None of
this has a big security impact. Hidden variables could be considered the
"memory" of the application. Unless, of course, the data you need to
save *is* sensitive. In which case, I agree, use session variables.
> Likewise I have written an entire ERP application using nothing but the
> Radicore framework and the Data Model Resource Book by Len Silverston. I
> built the PARTY, PRODUCT, ORDER, SHIPMENTS and INVENTORY databases from the
> shemas in the book, then used the Radicore data dictionary to generate the
> basic trasactions. All I had to do then was modify the table classes for the
> business rules, customise a few screens, and I have my working application.
> It is being used in real life by an online jewelery company, so it's not
> just an amateur product.
Gosh, Tony, I just sounds like you have something to do personally with
this Radicore framework. Hmm. <grin>
Paul M. Foster
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php