cactiveform sensitive information


I have a cactiveform, wich passes sensitive information, a password to an other system. How should i handle it, that it wont show up in the url of the next page?

Probably a very newb question, but i never faced this problem before.


The common solution is to send the variables using the POST method and to use SSL for encryption.



In theory i am familiar with the POST/GET methods and the diference between them. Never had to use it before though. As far as i know the default in CActiveForm is POST. Why does the ‘password=blabla’ element shows up int my url then?

Can you post your view & controller code? Yes, POST is default and shouldn’t be displayed in the url.


my first controller action wich renders the view with the form

	public function actionCreateDiff2($del1,$del2){



			$objects = array_slice($_POST, 0, -3);

			foreach ($objects as $obj){


















	foreach($object1 as $obj1){$objects1[$i]=$obj1['obj_oid']; $i++; }




	foreach($object2 as $obj2){$objects2[$i]=$obj2['obj_oid']; $i++; }




		foreach ($objects1 as $obj1){

			foreach ($objects2 as $obj2){





				$i++; }




	if(isset($result)){	$this->render('createDiff2',array('list'=>$result));}

	else {$this->render('createDiffError');}


my form:

<div class="form">

<?php $form=$this->beginWidget('CActiveForm', array(



)); ?>


<div class="row">




	echo "<table>";


	foreach($list as $obj){



	echo "<tr><td>";

	echo $obj[0]['obj_name'];

	echo "</td><td>";



	echo $form->radioButton(TObject::model(),'obj_name',array('name'=>'doc'.$i ,'value'=>$id,'uncheckValue'=>'e')); 


	echo "</td></tr>";


	echo "</table>";






<?php $model =new LoginFormSVN;?>

	<div class="row">

		<?php echo $form->labelEx($model,'SVN username'); ?>

		<?php echo $form->textField($model,'username',array('name'=>'username')); ?>

		<?php echo $form->error($model,'username'); ?>


	<div class="row">

		<?php echo $form->labelEx($model,'SVN password'); ?>

		<?php echo $form->passwordField($model,'password',array('name'=>'password')); ?>

		<?php echo $form->error($model,'password'); ?>





		echo CHtml::submitButton(); ?>


<?php $this->endWidget(); ?>

</div><!-- form -->

and the action wich works with the data from the above form:

public function actionDiff($del1,$del2,$objID,$name,$pass){













	$action= 'svn info --username '.$name.' --password '.$pass.' '.$path1.'';





	$action= 'svn info '.$path1.'';

	$result = exec($action, $output); 



	$res=$output[7] ;



	$res1=substr($res, 18);








	$action= 'svn info --username '.$name.' --password '.$pass.' '.$path2.'';

	$result = exec($action, $output); 


	$res2=substr($res, 18);




	//oldpath manipulation an new




	//echo $final;




So when this last action renders its view:




	'diff deliveries'=>array('creatediff1'),




	//array('label'=>'List Delivery', 'url'=>array('index')),

	array('label'=>'Create Delivery', 'url'=>array('create')),

	array('label'=>'Manage Deliveries', 'url'=>array('admin')),



<div class=row>


	//echo $link;

	echo '<a href="'.$link.'">Show diffs</a>';

	//echo CHtml::linkButton('Link to diff',array('submit'=>$link))?>


i can see the password field in the url.

Mabe its a bit complicated :). I am sure a veteran programmer would have a simpler solution.

So to sum upt its actiondiff1->_viewdiff1 (where the actual form is)->actiondiff->diff(where the password is seen in the url).

Thanks for your trouble!

Writing the last post made me review my program, and i realised, that the password in the url actually comes from the values given to the actiondiff function.

So the question now: how to give the variable from one action to another without showing int the url?

as the subject got sidetrailed i opened an other topic on the subject.