> -----Original Message-----
> From: Larry Leszczynski [mailto:[EMAIL PROTECTED]]
> Sent: 17 December 2004 19:15
> To: Jonathan Mangin
> Cc: Sean Kellogg; [EMAIL PROTECTED]
> Subject: Re: [Templates] Objects as hidden variables?
>
> Depending on how big your session object is and what kind of stuff is in it, another thing you could try is to serialize > the entire session into a string and use that as your hidden variable, and then unserialize when the form is submitted. > You could use something like the Storable module's freeze and thaw methods, or maybe the Data::Serializer module:
>
> http://search.cpan.org/~neely/Data-Serializer-0.28/lib/Data/Serializer.pm
You really, really don't want to do this. Never trust anything that is sent from the Brower. Whilst it seems like a good idea the security holes are endless. Using this method when the data is stored server side is fine but when you are giving the end user the opportunity to change it you are asking for trouble.
S
