less than a minute read • Updated 2 hours ago
Sign open (user-editable) fields with HMAC
How to sign form fields that accept user input, such as quantity, using HMAC.
By default, HMAC signing requires a known value at the time of signing. For fields where the value is entered by the customer — such as quantity or a custom message field — you use the --OPEN-- keyword instead of a real value, which tells Foxy to accept whatever the customer enters.
How it works
Instead of concatenating the actual value, use the string --OPEN-- as the value when generating the hash. Append ||open after the hash in the name attribute to tell Foxy the field accepts user-generated values.
For example, for a quantity field on a product with code of abc123:
hash_hmac('sha256', 'abc123quantity--OPEN--', $api_key);
The signed input looks like this:
<input type="text" name="quantity||753d51d4675bfb6f0aec5e6fbfd8a2e32cbea620c15a181567b052d350469c50||open" value="" />
Steps
PHP helper function
The PHP helper function handles open fields automatically. Pass --OPEN-- as the value:
get_verification('quantity', '--OPEN--', 'abc123');
The function detects --OPEN-- and appends ||open to the output automatically.
Notes
The
||opensuffix is required. Without it, Foxy will not accept user-generated values in that field.Do not use
--OPEN--as a real product value — it will allow that field to be freely modified by the customer.Curly brackets
{ }are stripped from any open field value, preventing customers from injecting price, weight, code, or category modifiers.Open fields should still be signed — do not skip them or leave them unsigned.