[_] PHP header() GET not POST
Tom Gidden
tom at gidden.net
Sun Sep 3 17:20:11 BST 2006
On 3 Sep 2006, at 16:43, Mike Walters wrote:
> Ouch :) I think it offers an amount of data hiding, which given the
> alternative could well be beneficial. People still could view the
> source of the form/POST if they have disabled JS, so from that
> angle it is justing shifting the data. Thanks.
Okay, but that's what you were asking for :) POST redirection
instead of Header("Location:...") will involve sending the data to
submit to the client, at which point, the user will have access to
the data.
It sounds like POST isn't what you need. If you want to communicate
directly and privately from A (your server) to B (the third party),
then don't communicate via C (the client's user agent) and expect C
to POST the data to B without C having access to the data!
If, on the other hand, you're just trying to obfuscate it (as implied
by <quote>"I want to minimise the chance of someone editing the
parameters"</quote>), then POST using JS as I described may be
sufficient. For extra credit, scramble the values of the hidden
fields and get the onLoad to unscramble them before form.submit().
That way, it'd be really tedious (although of course, not impossible)
to mess with the parameters. Way beyond the casual user, and way
beyond the attention span of most geeks.
If you really do need to talk to the third party direct and securely,
then yeah, you're going to need to get an alternative API from the
PSP for direct communication from PHP to them, or get a new PSP.
Tom
--
Tom Gidden
http://gidden.net/tom/
> Ouch :) I think it offers an amount of data hiding, which given the
> alternative could well be beneficial. People still could view the
> source of the form/POST if they have disabled JS, so from that
> angle it is justing shifting the data. Thanks.
Okay, but that's what you were asking for :) POST redirection
instead of Header("Location:...") will involve sending the data to
submit to the client, at which point, the user will have access to
the data.
It sounds like POST isn't what you need. If you want to communicate
directly and privately from A (your server) to B (the third party),
then don't communicate via C (the client's user agent) and expect C
to POST the data to B without C having access to the data!
If, on the other hand, you're just trying to obfuscate it (as implied
by <quote>"I want to minimise the chance of someone editing the
parameters"</quote>), then POST using JS as I described may be
sufficient. For extra credit, scramble the values of the hidden
fields and get the onLoad to unscramble them before form.submit().
That way, it'd be really tedious (although of course, not impossible)
to mess with the parameters. Way beyond the casual user, and way
beyond the attention span of most geeks.
If you really do need to talk to the third party direct and securely,
then yeah, you're going to need to get an alternative API from the
PSP for direct communication from PHP to them, or get a new PSP.
Tom
--
Tom Gidden
http://gidden.net/tom/