PHP - securely submitting data through forms for various user actions

Let's say I have one form that changes its content (fields and parameters) based on the current state of the user in a multi-tier process. Say that this always leads to the same action, which means that the action has to figure out what event happened and on what object.

<form action='/somecontroller/someaction' method='post'></form>


What is the most common way to pass this sensitive data to the controller? I don't even want to suggest hidden fields as they can be changed by anyone. Two-way encryption of some kind that is then decrypted in action and used to identify the rest of the server? Perhaps serialize sensitive information, encrypt it and put it in one hidden field on the client side of the form, then decrypt and unserialize in the controller?


$hiddenData = unserialize($this->decrypt($_POST['hiddenData'], SALT));
$data = array_merge($hiddenData, $_POST);


Basically - how can I send some data on a form safely without subjecting it to external changes, i.e. not making sure that something might go wrong if it gets changed? Is there any best practice in this regard?


source to share

2 answers

Interest Ask. What I would do is a combination of the following (if sessions are not the solution for you):

  • use AES_256 / modified cryptographic / decrypted AES_256 in serialized representation
  • make an MD5 + SALT (or similar) hash of variables that you could compare to a stored hash to determine if any manipulation has taken place.
  • use something like the user's IP address as SALT for generating hashes or for cryptographic functions, so if the user's IP address needs to change, you will know this (be careful: the IP address can change under some circumstances).


You never send this data to the client.

Store it on the server side within the scope of the session management (for PHP you can access it with the $ _SESSION variable) and only send the session token (long random number, PHP has routines to generate / maintain good session IDs)) to the client (usually this is done in the form of a cookie). To track data in a multi-step process (including the state the user is in), you never want to expose it to the client.



All Articles