Most secure way to submit hidden fields?
-
Navaneeth. wrote:
Client can view the hidden field. But he can't make changes to that.
Of course they can. Just view the source, edit it, save it as an html file on disk, and browse to it.
Navaneeth. wrote:
Simulating hidden fields ? How you are going to do this ? Creating hidden fields from code behind ?
No. Just send the values as post data in a request.
--- single minded; short sighted; long gone;
Guffa wrote:
Of course they can. Just view the source, edit it, save it as an html file on disk, and browse to it.
Yes that they can do. But how come they can post the data to paypal ?
Navaneeth My Website
-
Guffa wrote:
Of course they can. Just view the source, edit it, save it as an html file on disk, and browse to it.
Yes that they can do. But how come they can post the data to paypal ?
Navaneeth My Website
-
I mean they can edit the values by saving to their computer. But they can't do anything with the values rite. Means sending that value to the server etc
Navaneeth My Website
-
I mean they can edit the values by saving to their computer. But they can't do anything with the values rite. Means sending that value to the server etc
Navaneeth My Website
-
Of course they can. If you have a form on a web page, the user's browser is sending the form to paypal, so there is no difference if they make their own form and send to paypal.
--- single minded; short sighted; long gone;
There are plugins now that actually make editing the html on a live page really easy. It's as simple as clicking an Edit HTML button and they can modify the live html and submit whatever they want. How would I post the values from the code behind?
-
You can use a WebRequest or a WebClient object to post a form from code behind.
--- single minded; short sighted; long gone;
What would an example be using one of the Http methods you just mentioned given the format in my original post?
-
I don't understand why you have concerns, if the user changes the hidden fields either the payment won't go through or it will go to the wrong person/be the wrong amount (in which case its entirely their fault). I don't see that theres any confidential information there that you wouldn't want people to see, and as the form posts to a secure server no-one would be able to pick the request off the wire.
I don't want people changing the prices of things etc.
-
I don't want people changing the prices of things etc.
If you program it correctly that shouldn't matter - the response you get back from PayPal will contain the amount they paid, you can check that against how much they should of paid and if it doesn't match up show them an appropriate message. It won't affect a legitimate user and anyone who does it deliberately its their own fault.
-
If you program it correctly that shouldn't matter - the response you get back from PayPal will contain the amount they paid, you can check that against how much they should of paid and if it doesn't match up show them an appropriate message. It won't affect a legitimate user and anyone who does it deliberately its their own fault.
That's a good point badgrs, thank you
-
There are plugins now that actually make editing the html on a live page really easy. It's as simple as clicking an Edit HTML button and they can modify the live html and submit whatever they want. How would I post the values from the code behind?