1

I have a strange problem. I am storing some datas in hidden field. When I changed value of hidden field through inspect element, it get changed in server side also.

Hidden field with actual value

Hidden field with actual value

Value changed through inspect element

Value changed through inspect element

Result in server side

Result in server side

I want the user not to change the hidden value or the value changed by the user should not affect actual value. Can anyone please help me to solve this problem?

Sudha
  • 505
  • 1
  • 10
  • 27
  • What do you mean by "in server-side"? – Sadjad Oct 24 '13 at 13:28
  • 1
    I think you're being mistaken. What you check is on the client side. It would be more interesting to know why you want to store data in hidden fields that you don't want users to change. Perhaps you can find a better alternative. – html_programmer Oct 24 '13 at 13:31
  • 3
    If you calculate this value (84), you need to recalculate on server side to make sure it fits. You should never trust your own forms. There's always a risk that's it's been altered byu the user. If this is a price, submit the ID's of the products and calculate again. No matter how you got this number on the client side, you can have it on the server side as well – Bene Oct 24 '13 at 13:45

2 Answers2

4

It is not possible to stop someone amending the DOM in the console.

You need to verify that the values sent to your server are valid on the server-side before doing any work on them.

If you have some data which you do not want anyone to amend you would need to have some method of encrypting it, or not displaying it at all on the client side.

Rory McCrossan
  • 331,213
  • 40
  • 305
  • 339
  • Thank you.. We changed the value of asp controls like label, button through inspect element but in server side we are not getting the changed values. So my question is, whats the difference between label and hidden field? How it works? – Sudha Oct 24 '13 at 13:53
  • 2
    @Sudha labels and buttons don't have values that are submitted in forms. Hidden form fields do . They are posted to your server-side code. – ED-209 Oct 24 '13 at 14:45
4

Knowledgable users can always change hidden form values and they will be submitted to your code behind.

If you need to store data about a user that they can't change then you need to store them server-side (in a database for example), and not on the client.

ED-209
  • 4,706
  • 2
  • 21
  • 26