0

I'm using variable passing through a URL (ie ".derp.html?name=derp?lname=herp") to a popup (which uses these parameters to prefill information on the page). Although these pages are internal, I want to create more security. I do not want someone to type in their own link and submit a form with fake values.

I was thinking of having a function run once the link is opened instead, which opens the popup, and sends the parameters through variables to the new window, instead of through the URL. However, I would still need to send values to the java script function...

Anything else I can do to be more secure?

EDIT: Let me rephrase then... This is not public, this is internal. I'm not expecting users to try and hack into the system to create fake forms.

I can't do server-side validation because I'm working with very old methods like tabular data control in IE. There is no real data base to verify anything.

Improve this question
4
  • What exactly are you doing with these values? Commented Feb 17, 2012 at 15:52
  • 4
    Preventing users from changing the URL using JavaScript? Are you kidding? Commented Feb 17, 2012 at 15:53
  • 3
    Nothing you do in client-side Javacript will ever be secure. You need to have server-side validation on form submission. Commented Feb 17, 2012 at 15:54
  • 1
    Given the level of security you are looking for (which is wrong in my opinion), just submit the form using POST method Commented Feb 17, 2012 at 17:22

3 Answers 3

Reset to default
2

You can POST the values, instead of appending them to the URL. This is what HTML forms are for. For example:

<form action="derp.html" method="POST" target="myNewWindow">
    <input type="hidden" value="derp" name="name"/>
    <input type="hidden" value="derp" name="lname"/>
    <a href="#" onclick="window.open("myNewWindow");this.parentNode.submit()">Click to open in a new window</a>
</form>
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

You have two options

1) Instead of using GET method (sending parameter in URL), use POST method and the parameters will not be in HTML URL anymore and you can do it by Javascript. However, a person who want to send fake values to you server, still is able to do so, but it's just a bit harder.

2) Create a hash function(Javascript code) which encode all the parameters before submit the URL and decode it upon received on server side. http://en.wikipedia.org/wiki/Hash_function

Either way, will not provide you 100% security, and still you should perform parameter validation on-server side.

Improve this answer

Comments

1

you can change it to a post request...but that's about all you can do if the logic is front-side...other than obfuscating the variable names.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.