I have a form that takes user message and send it to the recipient. On the PHP side, I have three variables: $senderid, $recipientid and $messageid. So far I have been using hidden input on the firm, for example
<input type="hidden" id="senderid" value="<?php echo $senderid; ?>" />
<input type="hidden" id="recipientid" value="<?php echo $recipientid; ?>" />
<input type="hidden" id="messageid" value="<?php echo $messageid; ?>" />
<textarea id="message" name="message" rows="5" cols="10"></textarea>
I am using VAR SENDERID = $('#senderid').val(); and so on for rest to pass it to an Ajax script. This works fine. The thing I don’t like is that the hidden input, even though it is hidden, can be changed. Someone could change the value of $senderid, $recipientid and $messageid through Firebug. If someone did so, it would totally screw my message system. Is there any other way to pass the variables to Ajax without using hidden input?
There is no simple way to do this. You could pass is as javascript variable, or event somehow hashed e.g. with sha function. But I’d suggest you to rethink your way of doing things.
For example if this is is something like message form to other user, you could have the following:
senderid, I assume this is current, logged in user so you can take this from session.recipientid, you can have this is as hidden input, but in your controller (or function where you’re sending message) you could check if current user is actually allowed to send message to recipient (for example if recipient is on friends list).Anyway, never trust data that is submitted from browser.