Actually, no, I'm not wrong. My suggestion is to do sanitization checks on all incoming data BECAUSE client-side data can be modified. My suggestion is to not take the data presented at face value, but to ensure you always double check that what is provided is valid. Nowhere in my post do I say that it's not possible. My hint indicates that just because you put it into a hidden field, does NOT mean that it cannot be messed with before it is sent back to the server. Many developers have a mindset that hidden data is not exposed to the user for modification as easily as an input field.
↧