Required Hidden Fields

From Plex-XML

Jump to: navigation, search

There are always some required form fields that will be used for parameter pass-through or to increase application functionality and control. A very common one is a record identifier that is passed as hidden field in an update request. While it is very easy customize web form fields with the Plex-XML formats you need to assure that required fields won't be excluded from a form by an user, operator or designer.

There is a local variable in all Plex-XML Dictionary functions that is called 'ReqHiddenFields'. Each XMLOutput/FetchData field that exists also in this variable is checked on format load and will be set to 'hidden' if it's ShowField-Type is not 'input' or 'hidden'. The update key is preallocated as required hidden field in all DictionaryEdit and DictionaryFindBrowse functions.


Image:RequiredHiddenFields.png
Required key field in an DictionaryUpdate


image:hint.png A common problem with hidden form fields is a Web Parameter Tampering attack. The Web Parameter Tampering attack is based on manipulation of parameters exchanged between client and server in order to change application functionality and control. Be sure to use Secured Fields for form fields that should be protected against tampering.
Retrieved from "http://wiki.plex-xml.com/index.php/Required_Hidden_Fields"
Personal tools