3

I need to resend a value from a previous html form in another form so that it can be used as part of a prepared SQL statement.

However, I do not really want to use html hidden input due to potential security problems.

Anyone know of another method?

Thanks.

Improve this question

3 Answers 3

Reset to default
4

Temporarily save the values in a session.

Hidden HTML inputs shouldn't cause any security problems though, as long as you properly validate them (again) before putting them in the database.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

When using sessions, consider creating a random key for the values, passing through the key in the form, and accessing the session data based on the key. If you don't do that and use static identifiers, your form flow will f**k up if the user is doing different things in multiple tabs.
Yeah that's one of the reasons why I haven't been too keen on using sessions to deal with this.
3

You can save it in the session, then the user would never see the value.

Improve this answer

1 Comment

Certainly a better option than the hidden input
1

I don't believe you raise any more security risks than sending the original form.

You do have some other options, however, if you don't want to use a hidden form element:

  1. Storing the value in a $_GET variable (not recommend, do to it being visible in the URL bar)

  2. Using a cookie to store the variable (user could have cookies disabled)

  3. Using sessions to store the variable server-side

Improve this answer

3 Comments

I thought it could be a potential security issue, for instance using <input type="hidden" name="frompreviousform" value="$value" />, there is nothing stopping someone saving the html page and editing it or using some sort of javascript injection.
There's nothing stopping the user from sending whatever form values he wants to your server. He doesn't need the HTML form to submit it to your server. Just make sure you escape $value, as it could contain rogue code that would be injected into your HTML page.
That's true, this value is basically a primary key of a table in my database and will only ever be used for querying the database and i've covered SQL injection already.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.