Can php avoid (not)hidden variables by POSTing

ayj

I've had a look at quite a few threads on this and still don't feel entirely clear on it. The question is simple - can I directly set POST variables to be sent with a form's output using PHP, rather than the usual "hidden" (not) html form statement - thereby making the variables genuinely hidden. The added bit is that they are being sent to a cgi on another server.

ayj

swr

I'm not entirely sure what you are asking for, but it sounds like the user being able to view/edit source and see/change hidden fields is not acceptable.

Using PHP sessions is the usual way to handle state server-side instead of client-side. But you mention sending to a CGI on another server, and PHP sessions don't work across multiple servers like form variables do, so that won't work.

You could use hidden form fields, but encrypt the data. That requires the CGI on the other server know enough to decrypt it. Also, encryption is often trickier than most people expect, and novices often end up with systems that look secure but have subtle vulnerabilities (even using established algorithms).

I would suggest having your PHP script interact with the remote server, instead of having the client browser do it. Basicly, the client browser should interact with your PHP, and your PHP should make the actual connection to the other server. Then you can pass your secret form variables directly to the other server, without passing them through the client. From the user's perspective your PHP script is just a front end for the remote CGI. The user doesn't even have to be able to access the remote CGI, or even be shown any evidence of its existence.

ayj

Hi swr

Thanks for the reply - you've understood the situation correctly but I don't entirely understand how to implement your answer.

It is not practical for me to have anything done to the receiving cgi.

So is there a way to send data across to that cgi in a way that is not visible in the html on my web page? It is hard to describe things when one does not know if they exist 🙂 but something like a (PHP statement) POST_('thisvariable') that identifies some extra variables which are sent across to the other cgi when the form is clicked but which are not themselves disclosed in the form itself at all.

In fact it is not really a critical issue, the data is not that sensitive, but I am more interested in the general question.

Perhaps what you are suggesting is that the user clicks on my page that then sends data to another php page of mine which does not open in a browser at all but simply attaches the extra hidden variables and sends the lot straight on to the external cgi (I'm sure easier said than done).

Thanks again

ayj

swr

Suppose the CGI is here:
http://www.example.com/cgi-bin/foo

In your PHP, you can open a URL as if it were a file. So you could do this:

$cgifile = fopen("http://www.example.com/cgi-bin/foo?user=ayj&password=secret&operation=whatever");

That would cause your PHP to make an HTTP GET request to the CGI. You could then read the resulting web page from the $cgifile file handle. Basicly, your PHP is acting as if it were a web browser to the other CGI, while the actual web browser is only accessing your PHP page.

If you need to use POST to access the CGI instead of GET, there is a way to do it, but it requires implementing the HTTP protocol. There are examples out there; google for "php http post fsockopen" should point you in the right direction.

It would be nice if the PHP developers would provide an HTTP POST function, but as far as I know there is nothing built in to PHP at this time, so you have to use fsockopen to do POST.

ayj

"It would be nice if the PHP developers would provide an HTTP POST function, but as far as I know there is nothing built in to PHP at this time, so you have to use fsockopen to do POST."

yeh...

never mind and thanks for the help, as I said it is not a critical issue for me more a question of how can I do this.

ayj

Weedpacket

Originally posted by ayj
"It would be nice if the PHP developers would provide an HTTP POST function, but as far as I know there is nothing built in to PHP at this time, so you have to use fsockopen to do POST."

Not built in by default, but it is there; look up [man]cURL[/man].

ayj

That looks really interesting and useful Weedpacket, I must check it out further, thanks

ayj