0

I have a form that takes user message and send it to the recipient. On the PHP side, I have three variables: $senderid, $recipientid and $messageid. So far I have been using hidden input on the firm, for example

<input type="hidden" id="senderid" value="<?php echo $senderid; ?>" />
<input type="hidden" id="recipientid" value="<?php echo $recipientid; ?>" />
<input type="hidden" id="messageid" value="<?php echo $messageid; ?>" />
<textarea id="message" name="message" rows="5" cols="10"></textarea>

I am using VAR SENDERID = $('#senderid').val(); and so on for rest to pass it to an Ajax script. This works fine. The thing I don't like is that the hidden input, even though it is hidden, can be changed. Someone could change the value of $senderid, $recipientid and $messageid through Firebug. If someone did so, it would totally screw my message system. Is there any other way to pass the variables to Ajax without using hidden input?

Improve this question
7
  • 4
    Clients will be always able to edit HTML/JavaScript. You need to implement server side validation. Commented Jan 26, 2012 at 17:44
  • Why not use session variables? Commented Jan 26, 2012 at 17:44
  • 2
    Anything that comes from the client-side, if left unchecked could screw your system. If you need to make sure the sender is who he says he is, the variable should remain server-side, possibly in the $_SESSION variables. Commented Jan 26, 2012 at 17:45
  • You should have a check server side to make sure forging the id can't screw with your system. Post your ajax code and I'll try help. Commented Jan 26, 2012 at 17:45
  • Umm, store the hidden value in a javascript variable? There's no need to put in in the DOM unless you want to allow form submissions for users without javascript, too (which would mean Ajax wouldn't work in the first place). Also, take care, because as @spidEY mentioned, client-side validation is not enough ... Commented Jan 26, 2012 at 17:46

1 Answer 1

Reset to default
1

There is no simple way to do this. You could pass is as javascript variable, or event somehow hashed e.g. with sha function. But I'd suggest you to rethink your way of doing things.

For example if this is is something like message form to other user, you could have the following:

  • senderid, I assume this is current, logged in user so you can take this from session.
  • recipientid, you can have this is as hidden input, but in your controller (or function where you're sending message) you could check if current user is actually allowed to send message to recipient (for example if recipient is on friends list).

Anyway, never trust data that is submitted from browser.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.