How to keep form data from being viewed in source

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

How to keep form data from being viewed in source

Post by daedalus__ »

Okay.

My work is developing an online store for their current (ASP) website.

The guy and I are trying to figure out how to obscure our form data so that a malicious user viewing the source can't read any of the data.

It's a crappy CC verification software and company and I have no idea how any of their stuff works. Their guide recommended that we use a server side language to pass sensitive information to the next page in the form.

All I can say is "WTF"?

My first thought was, instead of using "hidden" form fields, maybe we can use a server side language to post values we do not want seen to the next page. It's probably a stupid idea, but it was a thought.

The second thing I thought of was to simply encrypt the sensitive information. I think this would work best but he wants to hide the form names as well.

I remembered a neat trick I saw on a website once. They sell website templates and let you view them in their entirety but when you view the source it's a very long encrypted string surrounded by one or two functions that unencrypt and output it to the browser. Now, I don't know how or where they hid the actual function definitions but I know that the trick fooled me long enough for me to become disinterested and move on.

I am wondering if any of these methods will work, and what your recommendation for securing this data is.

Now, I know that this may not be enough to go on and I know as much about the problem as I have told you all. He just asked "how can i secure the data in this form so people viewing the source can't view it". I am merely trying to answer his question so please bear with me, even if it is a stupid one.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Re: How to keep form data from being viewed in source

Post by Roja »

Daedalus- wrote:"how can i secure the data in this form so people viewing the source can't view it"
You can't.

Not effectively, not reliably, can't be done. All you can do is *obscure* the data to make it harder to view it. Can't != harder.
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

He asked not me.

If you know a good method of obscuring the data, maybe you could share?

Sharing is caring :)
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

Daedalus- wrote:He asked not me.

If you know a good method of obscuring the data, maybe you could share?

Sharing is caring :)
If there was a good method, I would. There isn't. All of them simply increase the difficulty, none much better than another. With a good proxy, or with a good browser plugin, you can see right through most of the obfuscation techniques with a couple of clicks.
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

I see.

Well, I understand what his "problem" is now because I just went to talk to him.

It's nothing that anyone can help. The company processing our transactions certainly isn't very smart though. Thanks for the help though ^^
bg
Forum Contributor
Posts: 157
Joined: Fri Sep 12, 2003 11:01 am

Post by bg »

Why is sensitive data being stored in hidden forms? Thats the real question.
printf
Forum Contributor
Posts: 173
Joined: Wed Jan 12, 2005 5:24 pm

Post by printf »

You can always use SSL by way of passing the post via a internal function, fsockopen(SSL://), CURL(SSL) or directly with the default OpenSSL binary on Windows or all flavors of Unix/Linux/Mac. That is as safe as you will ever get!


pif!
Post Reply