How to send POST data without hidden element?

Question

I wonder how to send a POST parameter without showing the my secret data in html source.

<input type="hidden" name="url" value="$secretdata">

$secrerdata must be sent as $_POST["url"] but I want to send it on server side.

Answer 1

It's impossible unless you never let the data reach the client. Otherwise the ""secret"" data will ALWAYS be visible to the user - either by intercepting the transmitted data or by looking at the HTML source or by looking at the JS source if you try to hide it using JS.

What you could do is storing the data in the $_SESSION array and access it via the same array on the second page instead of using POST. Of course you could assign it a field in $_POST manually if some (bad) code relies on it being in there.

Another option - which you should only use if you can't use the session for some reason - would be encrypting the data with a secret key that the user doesn't know (i.e. that is only used in server-side code).

Obviously you could also sent a POST request in your PHP code (using curl) - but then the request doesn't originate from the user's IP and depending on what you want to do that might be a problem.

Answer 2

I think what you actually need is a session. There you can store data that will be handled only by the server and is associated with a specific user.

In order to use that, you need to put session_start() at the beginning of every page where this data needs to be available. Then you can use

$_SESSION['yourkey'] = 'Something';

to store data in this session. It's available afterwards as $_SESSION['yourkey'] even on other pages.

You can find all information about session in the official documentation.