Hidden Parameters

Never trust hidden parameters! You ask why? Because it is very easy to change them. All it takes is to save the web page on the local hard drive, modify the action field to point to the necessary script on the server, modify the necessary parameter, and execute the modified file.

Despite their shortcomings, hidden parameters can still be used; you simply have to be very careful with them. We will start considering using hidden parameters with how to hide parameters from honest users and beginning hackers. Sometimes it is necessary to pass some service information from one page to another without using cookies for this. In this case we can make use of hidden parameters. This can be done is several ways, which we will consider.

The first way is to create an input field of the hidden type as follows:

<form action="param.php" method="post"> <input name="UserName"> <input type="hidden" name="HiddenParam" value="00000"> </form>

Input fields whose type is set to hidden do not show in the browser. But in this case the param.php file, to which the form sends the data, will see the $HiddenParam variable containing five zeros.

The following example demonstrates how the same thing can be done in a much easier way:

<form action="param.php?HiddenParam=00000" method="post"> <input name="UserName"> </form>

Which of the methods you choose is up to you and your preferences. I try not to use any of them and to entrust my data to cookie files or save parameters on the server. This is a little more difficult, but with a correct approach is much more secure, and works even if the cookie support is disabled on the user's browser.