Readonly form field

1 Views

I’m trying to setup a custom form in wordpress using a plugin and following these instructions as tutorial: http://code.tutsplus.com/tutorials/creating-a-custom-wordpress-registration-form-plugin–cms-20968 . I’m not trying to create a “register user” plugin, I just take that as an example to create custom forms in wordpress. For my question, I don’t think that using wordpress is relevant, so I’m posting this question in the general section.

Right now I want to handle some security issues.

Read More

I’ve an input field of this form who takes the value “name” from my database and display it to the users in a field of the form. Then this “name” is sent again to the database. I don’t want users to be able to modifiy this field. I’ve used “readonly” in my form, but anyone can edit the source of the page and edit that “name”, so this is not that much safe.

What can I do to prevent visitors from editing this field?

If necessary I can use also JavaScript.

Post Views: 1

Related posts

Leave a Reply

2 comments

  1. I hope it would help you stop passing incorrect edited values

    While echoing your form, Make hidden input like this…. with hash_mac

    $secret="mysecretstring":
$string =strtolower($name_retrived_from_db);
$hmac = hash_hmac("sha1", $string, $secret);

echo '<input type="hidden" name="foo" value="'.$hmac.'">';
echo '<input type="text" name="given_name" value="'.$name_retrived_from_db.'" readonly>';

    Then at the receiver end, validate the given name with $hmac

     $secret="mysecretstring":
$string =strtolower($_POST['given_name']);
$hmac = hash_hmac("sha1", $string, $secret);
$foo = $_POST['foo'];

    if $hamac and and $foo is matching Then no one would have edited your input. Make your “mysecretstring” non guessable.

      if ($hmac == $foo ) {
// Your read only input has not been edited
} else {
//Input  Edited
}

  2. First of all you leave it as you are doing and then add an extra hidden input field and assign it the value as you gave it to your readonly field and then when you are submitting your form get the value of your hidden input field.I hope it will help.