Validating hidden form fields

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
User avatar
VirtuosiMedia
Forum Contributor
Posts: 133
Joined: Thu Jun 12, 2008 6:16 pm

Validating hidden form fields

Post by VirtuosiMedia »

How do you handle validating hidden form fields? Obviously they should be validated just like any other type of input, but what do you do if they fail? Do you post an error message? Do you make them fail silently and just log the attempt? Do you redirect to the FBI website? :wink: I'm just curious to see what other people do.
Bruno De Barros
Forum Commoner
Posts: 82
Joined: Mon May 12, 2008 8:41 am
Location: Ireland

Re: Validating hidden form fields

Post by Bruno De Barros »

Well, as far as I'm concerned, I used hidden form fields to pass values from my script to the user, to be sent back to my script. Like a hidden ID field which tells me what item I am editing, or something. If it doesn't validate, it means the user was tampering with it, so I always just output an error message and complain that I don't want anybody trying to hack my script :lol: Hidden fields should always validate if the user didn't mess with them.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Validating hidden form fields

Post by Christopher »

Usually that data is required so something is wrong if the value is not present or valid. Unlike form fields where I provide a "please enter an email address" type message, missing hidden field usually requires a system type "unable to process your ..." message with either a link or redirect back so they can fix the problem or report the error. The form itself is not valid for user input so you need to address that problem.
(#10850)
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Validating hidden form fields

Post by kaisellgren »

Filtering is the right choice of word. Validating does not always apply to hidden form elements. On the other hand, sometimes it is the only approach.

Ask yourself, what is the purpose of this hidden field? If it is not what you expect, does it mean the user attacked/was under attack? Say you have a token in a form, if it is invalid, you must deny and produce some sort of error or at least react somehow just like arborint said, because obviously the token must be correct for valid requests.
Bruno De Barros wrote:Hidden fields should always validate
Not necessarily. Let us say that we have a hidden value of "formloaded", which holds the Unix timestamp of when the form was loaded client side. I don't know why would you do this, maybe for statistical reasons - doesn't really matter. Anyway, if the value is suddenly non-integer, sanitizing could be a possible approach, too.
Post Reply