0

I need to pass a parameter through a Rails form and access it in the controller. I would use a hidden field tag, but I don't want the user to be able to edit this data in the HTML and submit it. How can I secretly pass this parameter and access it on submit with parameter[:my_parameter]?

Improve this question
0

2 Answers 2

Reset to default
2

While a user can view hidden field data in almost any modern browser, they can't directly modify it in the browser itself. They can, however, build up form-data and pass it using some other client of their choice (curl, fiddler, etc) - there isn't really anything you can do about this. I suggest not relying on such a method for sensitive data.

A possible workaround would be to encrypt it in some form in advance, which can allow you to determine if it has been tampered with when posted. It can be tricky to do this right, and it's not a common practice for passing parameters.

Perhaps if you can clarify what exactly you are trying to accomplish, someone may be able to suggest a suitable alternative.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

The best practice for something like this is to not pass the parameter through the HTML, but instead to tie it to the user's session, and store the actual sensitive data in a database or cache. You could try to encrypt it, but, if the user has access to the data, then they have the ability to try to decrypt it.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.