javascript - Is it safe to use hidden inputs to retrieve user data? -


I have a huge form divided into 5 subforms. When you go from form1 to form2, then given in Form 1 The information is stored in DB and userID is created. Then this userId in form2 has been added as a hidden input. Something like this: 

  & lt; Form action = "" method = "post" & gt; & Lt; Input type = "hidden" value = "userIDnumber" id = "userId" /> & Lt; Input type = "hidden" value = "& lt ;? php echo base_url () ;? & gt;" Id = "url" /> // Form data & lt; Input type = "button" id = "prevButton" value = "previous" /> & Lt; Input type = "submit" value = "next" /> & Lt; / Form & gt;   
 If the user decides that to edit the data, go back to Form 1, clicking on the 'Back' button becomes the following:  
  var prev = document querySelector ('# prevButton'); if (! prev.addEventListener) {prev.attachEvent ('onclick', prevpage); } else {prev.addEventListener ('click', previous page, incorrect); } Function prevpage (e) {var userId = document.getElementById ('userId'). value; var url = document.getElementById ('url') value; var form = document.createElement ('form'); form.setAttribute ('method', 'post'); form.setAttribute ('action', url + 'form / 1'); form.style.display = 'hidden'; var input = document.createElement ("input"); Input.setAttribute ("type", "hidden"); Input.setAttribute ("name", "userId"); input.setAttribute ("value", userId); form.appendChild (input); document.body.appendChild (form); Form.submit (); }   
 What I am doing is a hidden form and in this form a hidden field is being paired with UserId, so that when I am going to Form 1, then that data I can retrieve the user who has posted just update the database in return for anything  
 My question is, is this a safe way to recover user data? I'm very new to JavaScript, so I'm not sure that working on this way is a way to access the other user's data by putting their ID directly to the attacker.  
 If so, what is the safest way to do this? I probably thought about using sessions, but the user I'm working for does not want to login to the user.  
 I have not got any questions about this, but if I apologize and please please tell me where it is.  
 Thank you for your time.   
 
 
 When a user accesses my web page, then I create a global object in which I Create user namespace:  
  APP.user = {};   
 In this object, you can store the properties you need and when the user logs in, you can retrieve the user data with the Ajax server.  
 Object example with key-value pairs in a simple browser memory:  
  APPUser = {user_id: 'kgy', first name: 'Kim', last Name: 'Gysen',}   
 Actually, this data is also publicly available. 
 DOM / Storing data in global object space is never safe when it is related to sensitive data. 
 Of course, the user must log in to access these data anyway.  
 One thing is that this approach will be faster, because there is no need to crawl the DOM, just to get some local user data on different pages.

Comments

Post a Comment

Popular posts from this blog

Verilog Error: output or inout port "Q" must be connected to a structural net expression -

I get the error every time, I try to compile. I'm not sure why anyone can help is? I'm new to verilog. Module D_FF (clerk, d, reset_n, q); Input D, Clack, reset_en; Output Q; reg Q; lab4_gdl f1 (.lk (~ clk), d (d), .q.m (qm)); lab4_GDL f2 (.Clk (Clk), D (QM), .Q (Q)); Always start at @ (posedge clk, neggeous reset_n) (Reset_n == 0) Q & lt; = 0; Other questions & lt; = D; Edit End: The problem is what we are asking to do: In this section, you apply the memory / registration circuit on the AlterEdie 2 board. will do. The circuit has the following specifications: The present value of swift SW15-0 on the D2 board should be shown in four hexadecimal four sections of HEX3-0. This part of the circuit will be combination logic. To use an active-less asynchronous reset and KEY1 to use KEY0 as the clock input, you must store SW15-0in in a 16-bit register in the value The register should be enabled to have a 16-bit positive edge, which uses the embedded D flip-flo
Read more

jasper reports - How to center align barcode using jasperreports and barcode4j -

I use iReport 5.5.0 . How to align a barcode component to the center The relevant piece of my jrxml is below & Lt; JR: Code 128 xmlns: JR = "http://jasperreports.sourceforge.net/jasperreports/components" xsi: schemaLocation = "http://jasperreports.sourceforge.net/jasperreports/components http: //jasperreports.sourceforge Purge / xsd / components.xsd "textPosition =" bottom "& gt; & Lt; Jr: codeExpression & gt; & Lt; [CDATA [$ F {number}]] & gt; & Lt; / Jr: codeExpression & gt; & Lt; / Jr: Code 128 & gt; & Lt; / componentElement & gt; "Text" itemprop = "text"> Create a style after this, it is called "barcode", like: & lt; Style name = "barcode" fontName = "Helvetica" fONTSIZE = "10" hAlign = "center" valign = "center" /> and set the property of your barcode element to "barcode".
Read more

c# - ASP.NET MVC - Attaching an entity of type 'MODELNAME' failed because another entity of the same type already has the same primary key value -

In brief, the wrapper module is inserted during posting and the status of an entry is changed to 'modified' . Before changing the state, the state is set to 'separate', but calling attachments () causes the same error to be thrown away. I am using EF 6. Model / wrapper class public class avi model {public A is a {get; Set; } Public listing & lt; B & gt; B {received; Set; } Public cc {receipt; Set; }} Administrator edit public functioning (int? id) {if (id == null) {new HttpStatusCodeResult (HttpStatusCode.BadRequest); } If (! Conveyor Access (id.Value)) new HTTPTitus code result (HTTP status code. Forbidden); Var aViewModel = new AViewModel (); aViewModel.A = db.As.Find (id); If (aViewModel.Receipt == zero) {return HttpNotFound (); } aViewModel.b = db.Bs.Where (x => x.aid == id.Value) .Oolist (); AViewModel.Vendor = db.Cs.Where (x => x.cid == aViewModel.a.cID) .FirstOrDefault (); See Return (aViewModel); } [HTPFost] [Valid AntitiferousTeacon
Read more