Yes, do not rely on this method for security. The html page could be saved by user, modified in a text editor, reopened in browser and submitted. I store that kind of stuff in a backend DB (PostGreSQL or VFP via ODBC) for each user and do a wrapper call to a ZSQL method for the users info around other calls to data and actions. The Session product may also be helpful here (have not yet tried it but is on my list) __________________________________________________________________ Jim Sanford . Database Engineer / \ / Accelerated Technology, Inc. / / 720 Oak Circle Drive East / / \ Mobile, AL 36609 / / \ Voice: 334-661-5770 fax: 334-661-5788 / \ E-Mail: jsanford@atinucleus.com Web: http://www.atinucleus.com Source Code, No Royalties, Any CPU...It just make sense ! __________________________________________________________________ ----- Original Message ----- From: Doug McNaught <doug@mcnaught.org> To: Jens Vagelpohl <tommymi@concentric.net> Cc: Darran Edmundson <Darran.Edmundson@anu.edu.au>; <zope@zope.org> Sent: Saturday, November 20, 1999 11:21 AM Subject: Re: [Zope] Re: passing variables from one DTML method to another ...
"Jens Vagelpohl" <tommymi@concentric.net> writes:
use an invisible input element in your form in this case, something like this:
<input type="hidden" name="variable_name" value="value">
this will be sent across to the form's target method with all other form field data, and they aren't visible/editable by the person seeing the form.
But they are visible by viewing the HTML source, so don't rely on them for security.
-Doug -- Doug McNaught doug@mcnaught.org http://www.mcnaught.org/~doug
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope No cross posts or HTML encoding! (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )