i’m trying to re-populate user inputs into form fields for when they input data and have to fix it due to errors
i’m usually accomplishing it like this:
<input type="text" name="username" value="<?php echo @$_POST['username'];?>" />
<input type="password" name="password" value="<?php echo @$_POST['password'];?>" />
my problem with this is that when i view source if they put in an invalid username/password, the actual password they typed in is visible in the view source (not sure if browser matters but it’s firefox)
what’s the best way to accomplish this?
You can’t set a default value for a password field without that value being in the source, but you don’t need to.
The point of obscuring the password is so that someone looking over the shoulder of the user can’t easily see what the password is.
Only the user (who knows what the password they just typed is) can tell their browser to View Source.
If you are worried about the password being intercepted in transit, then it is as vulnerable going from the browser to the server as it is going the other way. Use SSL encryption (https) for all your secure browser-server communications.
Meanwhile, since you are taking data from
$_POST(which is external input) and injecting it directly into the page, you are vulnerable to an XSS attack.