Hidding defined variables in POST

Hi eduran582,

This isn't possible without forwarding the request through your own program, which is not really a simple thing to do. To do this, you'd need the form to submit to your own custom web software, which would then turn around and make another request to the final page with the user's form data plus your extra secret data. There are a bunch of other things that might make this even more complicated (e.g. cookies.) We could custom build a solution for you through consulting. Let us know if you're interested in that.

However, there might be an alternative approach.

What exactly is it that you're trying to do? What are you posting to, and why is there danger in visitors seeing (and being able to change) the value of, for example, "version"?

Hope this helps!

Hi Chris,

Thanks for replying. The reason for the "secrecy" is in the form being used; it will be used to make a payment to a 3rd party vendor gateway and the 'secret' fields consist of various information like terminal ID, terminal password, etc. As you can see, if I used the "hidden" form field approach, anyone viewing the source would have access to this information. The "version" field is just one of the required fields that must be sent to the vendor.

The alternative you mentioned is exactly what I was considering pending a non-feasible possibility using what I described; having the user data (credit card, name, etc) sent (POSTed) to another page where it would be processed in a more secure manner before sending to the 3rd party gateway along with the "secret" info for processing. I just haven't decided how or what language I would approach that with yet [unsure]

I'm not above considering a custom build but, like everyone now-days, do not have a big budget for this project. Can you give me an idea of how complex this might be in terms of time and I'll consult with my customer. I'd be happy to call and give more details.

Thanks!

Eric

Hi,

have you checked if your 3rd party vendor have any instructions or recommendations on how to use their gateway securely?

-aev-

Hi aev,

The 3rd party vendor, nor their IT staff, are not very helpful and simply referred me to another entity that was using the same gateway I guess thinking I could just email them asking for help. The "Integration Guide" they send simply defines the variables required and what type of input is needed from the user and then in a short section states: "...simply construct a message as described in Section 2, and follow the transaction type requirements as outlined in tables in Section 7, and POST it to a <3rd party vendor> URL that is provided to you. The request should be POSTed as ....." Section 2 defines the all fields and section 7 defines the required fields.

Following their instructions would allow the user to see the required information I mentioned in my prior posts; not acceptable. So in a nutshell, no; the did not have any recommendations on how to use their gateway securely.

Thanks for asking.

Eric

HAHAHAHA! [;)] I wish! Unfortunatly, the customer specified this vendor which I think they have a contract with anyway. Heck, I suggested PayPal which I use and have had no problems. Oh well,...

Eric

Hi Eric,

If you can email me some details to dave@interactivetools.com I can give you some suggestions and options.

Hope that helps!