How to hide input text in a form from user doing a view source

Basically, I have a RPT (Crystal Reports) file that is called via a URL.  For example...

<form method=post action="http://...filename.rpt">

<input type=hidden name=user value=fred>
<input type=hidden name=pwd value=secret>
<input type=submit value="GetReport">

The problem is that I don't want the surfer/user to do a view source, and hence see the user and password.

I've looked into frames (crystal viewer does not work in a frame), and javascript script to open control-less windows)

I'm looking for code fragments, and a method that will work, and that the user/surfer can not find the user/password info.

Your tools are VBScript (server / client).  If browser is IE5 only... its ok.   No 3rd party apps (free only) unless it plugs in as a component.

It is possible to do a:

but... the method needs be such that the user can not see the username and password.

Better solution... better grade.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I think writing an ASP is the solution.
yes using ASP would be the solution.

You can make a session variable to hold the password and use <input type="password" name="pwd"> to get Your users password (which should scramble it, making it all spaces, also in final code.)

do the same for the username field (meaning make a session variable) and You can loose the ?user=fred&pwd=secret
after Your link.

When You need to retrieve the value use
Session("pwd") to get the password and Session("username") for the username..

Hope this is helpfull..

Max Davidse
dcollins071397Author Commented:
I've thought of that...

Unfortunitly, Crystal Report engine will not read from a Session variable.  It will only read from a Request variable  (via get/post).

The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

You could create a small page that would auto submit it's self.
first page:
<a href="login.html">Click here to login</a>

<script language="JavaScript">
 function sendIt(){
<body onLoad="sendIt()">
<form name="form" action="yourpage.html" method="post">
<input type="hidden" name="user" value="fred">
<input type="hidden" name="pwd" value="secret">
<input type="submit" value="send">

That should give you a form submission that only for a brief time will allow the user to see the username and password.
Other than that, the only thing I can think of would be to use ASP or PHP to modify the HTML header to include the user and pwd variables on the server-side. I however am not familiar with how this would be done.
dcollins071397Author Commented:
Hmm... clever.  I see if they had Javascript disabled then they would see it... but, still clever.

I've seen some Javascript (misplaced it), that will try to 'block' the Right-Click 'view source' command.  But, I believe it would only work on older browsers.
not only will not stop users from looking at the source through the menu view/source either

An addition to DreamMaster, to prevent from menu view/source, use a frameset containing only one page (the real page), so when user try to view/source from menu they will only see the source of the frameset page.
Netscape users will still be able to view the frame source, so that will work for IE only...

but i agree it's an option...and it will solve part of the question...

just not all....
     Here is a temporary solution that you can apply to IE and some versions of Netscape.  Here is a right-click disabler....

<script language="javascript">
// No rightclick script
// (c) 1998 barts1000
// barts1000@aol.coma
function click() {
if (event.button==2) {
alert('[Your custom message here ]')

But in any case, there is absolutely NO WAY to hide HTML code. The reason being is that you are actially transmitting these files to the users system, and it gets stored.  Even if you disable the Source View options from web browser, they will still be able to see it by basically saving the HTML page as an .html file and viewin the contents by opening it in NotePad or some text editor.  And also the page you have transmitted cached, people can open the .html file from the Browser cache also.



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dcollins071397Author Commented:

I was thinking that it was possible to have the page that would call the .RPT file have the 'cache expire' and such metatags.

Hmm, yea, even if I could hide the parameters in a  url line, the browser's history (say if IE), will probably still keep track of it.

Theres got to be a way...

several of you have come up with some very interesting ideas...

I know this is an old question, but I'll add this comment anyway incase any one has a look.

I'm currently having problems viewing the html source code of my own web site!

I have a two frame page which has a two page frame nested within that. If I click menu view source I get the top frame set. If I write click any of the three sections I see that sections code. I can't however see the frameset of the nested two frame page. How do I do this? Or have I just solved dcollins inital problem?

I have not tried with NS only IE5.
I think I'll post this as a question also.
Any ideas, anyone........
I am not clear what you want to say.

If in a page with multiple frames, you right-click and view the source, you will get the source of that page. That is fine.

If you want to see the source of the frameset, for example, you have two frames in a browser window and you want to view the source of the main page which contains the frameset, you can:
1. Select Source from View menu, or
2. Right-click on the splitter bar and select "View source".

So, everything is viewable.
V Bapat: Yep your right, I was just being dense. I had no frame borders and identical backgrounds meaning the join between frames was invisible, but did exist.

Sorry to waste your time,

Try making a frameset, with 2 frames

1 top + 1 bottom.

make the bottom fill 100% of the page, then put a blank page in the bottom, and the form in the top, this will make it harder for your visitors to view the source
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.