Most secure way to submit hidden fields?
-
InvalidTypecast wrote:
I have concerns with this as hidden fields can be modified as its saved in the html on the client side.
No problem. Client can view the hidden field. But he can't make changes to that.
InvalidTypecast wrote:
Can I simulate this in my codebehind in my aspx.cs file so that I don't have to worry about people messing with the values?
Simulating hidden fields ? How you are going to do this ? Creating hidden fields from code behind ?
Navaneeth My Website
Navaneeth. wrote:
Client can view the hidden field. But he can't make changes to that.
Of course they can. Just view the source, edit it, save it as an html file on disk, and browse to it.
Navaneeth. wrote:
Simulating hidden fields ? How you are going to do this ? Creating hidden fields from code behind ?
No. Just send the values as post data in a request.
--- single minded; short sighted; long gone;
-
I am reading paypal's instructions for integrating a custom shopping cart into their payment system on their website. They state an example would look something like this: I have concerns with this as hidden fields can be modified as its saved in the html on the client side. Can I simulate this in my codebehind in my aspx.cs file so that I don't have to worry about people messing with the values? I am using c#. What is my best bet? Thank you
I don't understand why you have concerns, if the user changes the hidden fields either the payment won't go through or it will go to the wrong person/be the wrong amount (in which case its entirely their fault). I don't see that theres any confidential information there that you wouldn't want people to see, and as the form posts to a secure server no-one would be able to pick the request off the wire.
-
Navaneeth. wrote:
Client can view the hidden field. But he can't make changes to that.
Of course they can. Just view the source, edit it, save it as an html file on disk, and browse to it.
Navaneeth. wrote:
Simulating hidden fields ? How you are going to do this ? Creating hidden fields from code behind ?
No. Just send the values as post data in a request.
--- single minded; short sighted; long gone;
Guffa wrote:
Of course they can. Just view the source, edit it, save it as an html file on disk, and browse to it.
Yes that they can do. But how come they can post the data to paypal ?
Navaneeth My Website
-
Guffa wrote:
Of course they can. Just view the source, edit it, save it as an html file on disk, and browse to it.
Yes that they can do. But how come they can post the data to paypal ?
Navaneeth My Website
-
I mean they can edit the values by saving to their computer. But they can't do anything with the values rite. Means sending that value to the server etc
Navaneeth My Website
-
I mean they can edit the values by saving to their computer. But they can't do anything with the values rite. Means sending that value to the server etc
Navaneeth My Website
-
Of course they can. If you have a form on a web page, the user's browser is sending the form to paypal, so there is no difference if they make their own form and send to paypal.
--- single minded; short sighted; long gone;
There are plugins now that actually make editing the html on a live page really easy. It's as simple as clicking an Edit HTML button and they can modify the live html and submit whatever they want. How would I post the values from the code behind?
-
You can use a WebRequest or a WebClient object to post a form from code behind.
--- single minded; short sighted; long gone;
What would an example be using one of the Http methods you just mentioned given the format in my original post?
-
I don't understand why you have concerns, if the user changes the hidden fields either the payment won't go through or it will go to the wrong person/be the wrong amount (in which case its entirely their fault). I don't see that theres any confidential information there that you wouldn't want people to see, and as the form posts to a secure server no-one would be able to pick the request off the wire.
I don't want people changing the prices of things etc.
-
I don't want people changing the prices of things etc.
If you program it correctly that shouldn't matter - the response you get back from PayPal will contain the amount they paid, you can check that against how much they should of paid and if it doesn't match up show them an appropriate message. It won't affect a legitimate user and anyone who does it deliberately its their own fault.
-
If you program it correctly that shouldn't matter - the response you get back from PayPal will contain the amount they paid, you can check that against how much they should of paid and if it doesn't match up show them an appropriate message. It won't affect a legitimate user and anyone who does it deliberately its their own fault.
That's a good point badgrs, thank you
-
There are plugins now that actually make editing the html on a live page really easy. It's as simple as clicking an Edit HTML button and they can modify the live html and submit whatever they want. How would I post the values from the code behind?