Home/ Questions/Q 7643755
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T09:31:28+00:00

Say I have one form that changes its content (fields and options) based on

  • 0

Say I have one form that changes its content (fields and options) based on the user’s current state in a multi-state process. Say that it always leads to the same action, which means the action needs to figure out what event occurred and on which entity. 

<form action='/somecontroller/someaction' method='post'></form>

What is the most common way of transferring this sensitive data to the controller? I’m reluctant to even suggest hidden fields, as those can be changed by anyone. Two way encryption of some sort which is then decrypted in the action and used to determine the rest, server-side? Perhaps serialize sensitive info, encrypt it, and put it in a single hidden field on the client side of the form, then decrypt and unserialize in the controller?

<?php

$hiddenData = unserialize($this->decrypt($_POST['hiddenData'], SALT));
unset($_POST['hiddenData']);
$data = array_merge($hiddenData, $_POST);
...

Basically – how do I send some data with a form securely without exposing it to outside alterations, that is, without making sure something can go wrong if it is altered? Is there some kind of best practice regarding this?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Interesting question. What I would do is a combination of the following (if sessions are not a solution for you):

    1. employ a AES_256 / modifyed AES_256 crypt/decrypt on a serialized representation
    2. make a MD5 + SALT (or similar) hash of the variables that you could compare with a stored hash to determine if any manipulation took place
    3. use something like the user’s IP as SALT to generate the hashes or for the crypt functions, thus if a user’s IP should change you’ll know that (beware: an IP address might change under some circumstances)
    • 0