Avoiding hidden form fields

Hidden fields in a form can be useful, but they can also pose a huge security risk. Take an example of a web page which allows a user to edit a customer’s details.

Using a browser add-on such as Firebug it’s very easy for a user to change the value of that customer_id field on the fly. It’s then possible, just by changing the value of the id field to the id of another customer, to overwrite one customer’s details with another. You can see how this might be a problem!

The simplest solution to this problem is to store the hidden field in the session data instead of passing a hidden field, like so:

Then, when performing your save you write something like this:

Hurrah, no chance of getting the wrong id for the customer. But wait, what happens if the user opens two different browser windows, each editing a different customer? Opening the second browser window will overwrite the customer_id in the session data, and saving on either window will overwrite the data of the second customer.

To get around this I store the relevant “hidden” data for every form in a separate session variable and pass a token to the form. I have written a class and associated functions to do this. Using our example of editing a customer the code now looks like this:

Now, when the form is posted, I can retrieve the data like so:


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">