Hi.. I did post this one in ASP forum also, but what do you think??

What I'm busy doing is reading form values using asp, then making a calculation in asp and then submitting the form with those values in hidden fields...

Problem is, the user can stop my "processing" asp page with the browser and view the hidden fields values in page source.. and I don't want that..

..so how do i do this..?

I thought of CGI (no ways user can jippo that one).. but I don't know that language.. I want to do it with ASP (without any users peeking the hidden fields)..

Any ideas please!! ...possible?? ..please..:confused: :(

Sounds like a real problem with ASP to me. How is it possible that a user can stop a server-side process and get the information? That seems like a big security breach to me, Oh I forgot, ASP that's Microsoft, the security hole people.

On the other hand from what I'm reading of your question the client is not stopping the ASP program they are stopping another HTML page with a <form> and "hidden" input fields.

There is no way around that one, that's HTML. What you can do is submit to an ASP program that already has the "hidden" values in it's code so they are not in HTML input-tags and can not be viewed by the client.

Yes, this means you need to write new ASP programs for each form.

OR you could have a database of values you need and you simply pass to the ASP program what set of values you need for this form. That could be in the hidden field and it wouldn't mean anything to anyone and even if they changed it they would only be messing up their own form and not really getting any meaningful information for all their efforts.

Then don't use hidden form fields to maintain state. Do it with a session. Do all your processing on the server, keeping the data you WERE keeping in hidden fields in session variables.

Perhaps a bit more is needed? A session and a session variable is what? How does one have a "session"? How does one get? session variables?

etc.

http://www.google.com/search?q=asp+session&sourceid=mozilla-search&start=0&start=0&ie=utf-8&oe=utf-8

Sessions are provided by the ASP-enabled server. Sessions are containers for session variables (name/value pairs).

ok-ok

the info i'm sending is to another server... they are probably using cgi... but i don't care what they have got or use or what they do... all i'm worried about is getting the form values posted to them without anyone(public) knowing what the return url is (seen in hidden fields)...

got a tip to use visible="false".... but where and with what???

oh and by the way.. I'm using ASP-JScript... not Microsoft at all..;)

If you are sending to a secure site then that part is secure. However, if you do not have a secure site of your own, then the only way to get the data to the other site is to have it in the form that is to be posted to them. This means that almost anyone can read the data.

There are way to make it more difficult, especially if the hacker does not know what you're doing, but it probably is still possible to hack.

I've developed at least two ways to make it much more difficult to hack, but again, not impossible.

I will not give these methods on a public board because that would simply invite hackers to figure them out that much sooner.

The best, and completely secure, way is to have your own site where you can add the information going to the other site so that it does not need to be in the form at all. I'm presently learning how to do just that. In both PHP and Perl you open a secure socket to the other host and pass the needed information from your form along with the additional information. I do not yet know how to do this. When I do figure it out I'd be willing to post that since there should be no way to hack it.

Thanks Phil Karras

Please send me a private message once you have figured that one out.. please-please-please!!!!!!!

Following is an answer i got from poefeo in the asp forum:

*****************************

its an attribute for the elements.
<asp:button id="butid" visible="false" runat="server"/>
or
butid.visible = false
Html elements are the same way even though that is an asp:button, I guess for you it would be <input id="something" runat="server" type="text">
something.visible = false

*****************************

haven't tried it yet, but hope it works with asp-jscript as peofeo is using asp.net

Anycase.. thanks for your help on this!!

:)

Thanks for the info I'll give it a try here to see if it really works that way. If you want a private message I'll try to remember to do that.

As far as I can tell there is no way to use html or JavaScript to hide the html from the client being able to
right-click/view source- and being able to see all the form fields that are on the page, visible or not.

Using HTML you can use:
<input name='tst' value='Phil' type='hidden'>

Using styles you can use:
<input name='tst' value='Phil' type='text' style='visibility:hidden'>

and last, you can put these in a <div id='test01'> and use JavaScript to change its visibility to hidden as
well.

In all cases using a right-click/view source will allow the client to see the hidden values in those
<input>-tags.


<head>

function hidebox() {
Which = 1;
if (document.all) { // IE
test01.style.visibility="hidden";
}
else if (document.layers) {
document.Ltest01.visibility="hide";
}
else if (document.getElementById) { // NS7.0 gets here
var obj = document.getElementById('test01');
obj.style.visibility="hidden";
}
}

</head>
<body onLoad='hidebox()'>

<form name='f1' action='help277.htm' type='GET'>
<layer name='Ltest01'>
<div ID='test01'>
This is div-ID: test01, Can you see my contents?<br><br>
<input name='color' value='blue' type='text'>
</div>
</layer>

<div ID='test02'>
This is div-ID: test02, Can you see my contents?<br><br>
<input name='color' value='blue' type='hidden'>
<input name='texture' value='rough' style='visibility:hidden'>
<input type='submit' name='submit' value='submit'>
</div>
</form>

</body>


The JavaScript to hide the div does the same. None of these things are "visible" to the user of the page,
but all are visible in the code using right-click/view source. (The user sees only the submit button on the
page.)

Better check your ASP method as well, if the <input>-tag is able to be seen using the right-click method
then it's not hidden at all.