On Oct 24, 5:03 pm, Branko Vukelic <[email protected]> wrote: > * Calculated values are shown, and a form with hidden fields and a > submit button labeled 'Confirm' is shown
The hidden fields still show in the page source though. A smart user could submit his own set of data if he can see what field id's are being expected. That's what I want to avoid. There must be no way a user can change the charge amount at any stage of the process. I had another idea a short while ago: I'll cache charge amount for all the rows (in the server-side session object), and send through (as form post data) the identity of the selected row. That way, the next controller function will be able to retrieve the appropriate calculation result for the selected row, and the user will have no way to edit the calculation amount. What do you think?
