PDA

View Full Version : Text Field



hamfast
05-29-2008, 12:36 PM
Hello Chaps

I've got a text field on a form whose content is generated by the pressing of a submit button which randomizes the content. I was happy with this but have since read that these fields can be exploited - so how do I ensure that this text field is read only?

I've tried disabling the content and it just 'grays out' and I've read that this only work in IE.

Can anyone help because I'm stuck?

Thanks
H

djr33
05-29-2008, 01:55 PM
You send the html to the user's computer; in almost all situations this will be dealt with by a standard browser, but in theory they could even write their own. Even with the standard browsers, though, it's possible to get around this using javascript inputs, or perhaps writing an extra form page that mimics yours; in short, unless you have a secure server side copy of this random content for verification (and that isn't actually too hard, unless you need to generate it client side for some particular reason, and even then ajax might work), there's no way to make a form secure.

In fact, as a general rule, treat all data from forms as potential attacks, so do the proper procedures to secure it, like escaping strings for entering into a database, etc.

I believe that <.... disabled="true"> will be generally effective across most/all browsers, but not really 'secure'.

Of course you can also use a hidden input (that is, type="hidden"), which would not even display on the page. But it would be visible in the source. That means they'd have to know about it (or guess) to be able to change anything. Sometimes the best security is simply knowing something the other person doesn't. So, if this is just casual security, that might be just fine. But, still, to protect yourself from hackers, it might be a good idea to use some sort of serverside backup.