 |
 |
|
|
||
Hidden form fields aren't hidden very well. By simply using your browser's "View Source" menu item, you're able to see what hidden fields the form has and what they contain. Hidden fields are hidden only from web page view, not from source code snoopers. Today you learn you can make your hidden form fields really secret. Secret hidden fields are nowhere in the source code of your web page. Instead, they're supplied by a script. This is how it works: When a web page form is submitted, it sends its information to a form processing script. Some of that information might be submitted as hidden fields that other people really shouldn't know about. That's the old way. Here's the new way. When a web page form is submitted, it sends its information to Master Secret Hidden Fields. The form does not submit the hidden fields that you're keeping secret. When MSHF receives the form information, it appends your hidden fields and then sends it all to your regular form processing script. To your regular form processing script, the information it receives from MSHF appears to come from a normal web page form. That's the essence of how it works. Master Secret Hidden Fields is free to download and use, and can be picked up at http://willmaster.com/a/17/pl.pl?art170free Master Secret Hidden Fields can hold secret hidden fields for one form and relay to one regular form processing script. To service additional forms, install additional copies of MSHF. Master Secret Hidden Fields Pro is $29 USD and can be purchased at http://willmaster.com/a/17/pl.pl?art170pro Master Secret Hidden Fields Pro can hold secret hidden fields for any number of forms and their regular form processing scripts. MSHF Pro has a nice password protected administrative control panel that makes it easy to keep track of and maintain the secret hidden fields and their regular form processing scripts. But why? Other than maintaining a sense of privacy and removing from view things that are nobody else's business, here are two solid reasons for using MSHF:
Both of the above reasons area addressed further below. MSHF and MSHF Pro need two Perl modules to operate: Module LWP::UserAgent and module HTTP::Request::Common Most hosting companies have these modules installed on their servers. If you're unsure whether or not your server has this module, Master Pre-Installation Tester from http://willmaster.com/master/pit/ can help. MSHF and MSHF Pro can not relay form information to a secure server. If your web page form's action= URL is a secure server URL, it's hidden fields can not be made secret using this method. That's because the scrips can not negotiate secure connections like a regular browser can. Using the Program as an Anti-Spam Measure. If you have any forms with an email address in a hidden field, that email address can be harvested by spammer's robots. Put the hidden field with the email address into MSHF or MSHF Pro, along with the URL of the regular form processing script. (The regular form processing script URL is in the action="_________" attribute of your <form... tag.) After putting the hidden field and script URL into MSHF or MSHF Pro, you then remove the hidden field from your form and put the URL of MSHF or MSHF Pro into the form's action="_________" attribute. If you use MSHF Pro, you also add a hidden field that tells MSHF Pro which set of secret hidden fields and URL to use when relaying the form information. Example old form: <form method="POST" action="/cgi-bin/formmail.pl"> <input type="hidden" name="recipient" value="name@dom.com"> <input type="hidden" name="redirect" value="thanks.html"> Example new form (with MSHF): <form method="POST" action="/cgi-bin/Mshf.cgi"> <input type="hidden" name="redirect" value="thanks.html"> Example new form (with MSHF Pro): <form method="POST" action="/cgi-bin/MshfPro.cgi"> <input type="hidden" name="redirect" value="thanks.html"> Now, spammer's email harvesting robots can't find the email address. But your site users can continue to use your form just like normal. Using the Program for Theft Prevention: If you provide a downloadable product after filling out a form (in exchange for the user's email address or for referring friends, as examples), and if the download page URL is in a hidden field, then a thief could simply view your source code and bypass your form. If the thankyou page URL is in a hidden form field, and if the page has information only for those who have filled out the form, you can move the hidden field to MSHF or MSHF Pro. If other hidden fields might provide clues to the thankyou page whereabouts, those hidden fields can also be moved to MSHF or MSHF Pro. As an example, let's suppose you use Master Recommend Pro to collect referrals. When the user recommends 5 friends, s/he gets to download a free ebook. The download URL for the ebook is on the thankyou page. To demonstrate how it can be done, we'll move all hidden fields to MSHF or MSHF Pro. Example old form: <form method="POST" action="/cgi-bin/MRP.pl"> <input type="hidden" name="next" value="secret.html"> <input type="hidden" name="sitename" value="Domain!"> <input type="hidden" name="howmany" value="5"> <input type="hidden" name="siteURL" value="http://dom.com"> <input type="hidden" name="all" value="yes"> Example new form (with MSHF): <form method="POST" action="/cgi-bin/Mshf.cgi"> Example new form (with MSHF Pro): <form method="POST" action="/cgi-bin/MshfPro.cgi"> <input type="hidden" name="DirectiveSet" value="rec5"> Now, the form user can't know the URL of the thankyou page until after the form is successfully submitted. And some of the secret fields the form user will never know. When you need to make hidden fields really secret, remember the Master Secret Hidden Fields program. By: Will Bontrager Copyright 2002 Bontrager Connection, LLC
| ||