Ulf Dittmer wrote:Yes, by "user-visible" I meant the URL (as well as form fields, hidden or not). A better phrase would be "anything that's round-tripped from the server to the client, and then back to the server". That's susceptible to tampering, and someone WILL do it.
Milind Mahajan wrote:Are there any other ways? Which of these is a better way and why?
Tell your boss its called "re-factoring for security"
Milind Mahajan wrote:I did :-)
Milind Mahajan wrote:But what if I have lots of code already written which is passing the parameters in url similar to what I mentioned.
You showed up just in time for the waffles! And this tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koophttps://coderanch.com/wiki/718759/books/Building-World-Backyard-Paul-Wheaton