Hidden CGI fields in HTML

Ron Klatchko ron at library.ucsf.edu
Wed Aug 11 00:19:16 CEST 1999


Ian Clarke wrote:
> I am using CGI with Python and am trying to find a way that I can
> generate the HTML for a form such that one of the INPUT controls will
> have a fixed value (set when the page is generated by a previous CGI
> script), that CANNOT be edited by the user (or prefereably not even
> seen) - but will be passed to the next CGI script.

That depends on your level of paranoia.  As many people have pointed
out, you can use a hidden field but that only hides at the HTML display
level.  Anyone who wanted to hack that could save the HTML, modify the
hidden field, and voila, they've edited the data.

If you have some way of revalidating the hidden data (if you require
HTTP_AUTHENTICATION, perhaps based on the REMOTE_USER) that would add a
level of security.  Better yet, use a cookie and store the data on your
server.  If the user can't access it, they can't modify it.

moo
----------------------------------------------------------------------
          Ron Klatchko - Manager, Advanced Technology Group           
           UCSF Library and Center for Knowledge Management           
                        ron at library.ucsf.edu




More information about the Python-list mailing list