I'm wanting to send variables to a waiting PHP document using the POST method, but these variables are used as arguments to do things such as delete, hide, etc.
The problem is that I only know of two ways to do this:
- An
hrefattribute where you build your URL - Using an
XMLHttpRequest
There is a security risk with both of these methods as they will show the variables within the source code. This could lead to someone having control over other user's data through manipulation of the URL. All they would need is the readily available variable and the user name.
function usrVisToggle(){
var adjNum = Number(document.getElementById('lineNum').value);
var adjSend = new XMLHttpRequest();
adjSend.open('POST', 'https://000webhostapp.com');
adjSend.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
adjSend.send('argument=4&adjusted=' + adjNum, false);
location.reload();
The above is an example of how my code works right now.
The problem is within the argument=4. This will show in the source code and once you get the argument you can begin toggling everyones' data to be visible/invisible. Building your own URL to use in HTML poses the same risk.
What would be some ways around this?
