Validating hidden form fields
Moderator: General Moderators
- VirtuosiMedia
- Forum Contributor
- Posts: 133
- Joined: Thu Jun 12, 2008 6:16 pm
Validating hidden form fields
How do you handle validating hidden form fields? Obviously they should be validated just like any other type of input, but what do you do if they fail? Do you post an error message? Do you make them fail silently and just log the attempt? Do you redirect to the FBI website?
I'm just curious to see what other people do.
-
Bruno De Barros
- Forum Commoner
- Posts: 82
- Joined: Mon May 12, 2008 8:41 am
- Location: Ireland
Re: Validating hidden form fields
Well, as far as I'm concerned, I used hidden form fields to pass values from my script to the user, to be sent back to my script. Like a hidden ID field which tells me what item I am editing, or something. If it doesn't validate, it means the user was tampering with it, so I always just output an error message and complain that I don't want anybody trying to hack my script
Hidden fields should always validate if the user didn't mess with them.
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Re: Validating hidden form fields
Usually that data is required so something is wrong if the value is not present or valid. Unlike form fields where I provide a "please enter an email address" type message, missing hidden field usually requires a system type "unable to process your ..." message with either a link or redirect back so they can fix the problem or report the error. The form itself is not valid for user input so you need to address that problem.
(#10850)
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Validating hidden form fields
Filtering is the right choice of word. Validating does not always apply to hidden form elements. On the other hand, sometimes it is the only approach.
Ask yourself, what is the purpose of this hidden field? If it is not what you expect, does it mean the user attacked/was under attack? Say you have a token in a form, if it is invalid, you must deny and produce some sort of error or at least react somehow just like arborint said, because obviously the token must be correct for valid requests.
Ask yourself, what is the purpose of this hidden field? If it is not what you expect, does it mean the user attacked/was under attack? Say you have a token in a form, if it is invalid, you must deny and produce some sort of error or at least react somehow just like arborint said, because obviously the token must be correct for valid requests.
Not necessarily. Let us say that we have a hidden value of "formloaded", which holds the Unix timestamp of when the form was loaded client side. I don't know why would you do this, maybe for statistical reasons - doesn't really matter. Anyway, if the value is suddenly non-integer, sanitizing could be a possible approach, too.Bruno De Barros wrote:Hidden fields should always validate