https://stackoverflow.com/questions/22249354
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianApart from the whole client versus serverside thing, the security 'issue' should be non-existent. If someone does make a page with a 'hidden' form field to really hide it from the user as in, the user should never be able to find out the contents, that someone is "going to have a bad time".
The point of hidden fields is to hide them not for security, but because the user doesn't need it.
Random example: Maybe I need to store the id of the Album you are looking at. You don't need to know that, why would you want to know that. But finding out I call this Album 2134125 in the back-end doesn't matter. Even if you change it, the only thing that will happen is you have just selected (bought, started to listen to, whatever your site does) a different Album. Unsellable albums, price, all stuff like that should be based on the ID, not on other stuff, so you can't hack it, you just confused yourself.
If you do need secure hidden fields there is an option btw:
Sometimes we need to send actual data in hidden fields that we don't want to change. This is true for some payment providers where you actually send the amount a person needs to pay from a hidden field. (I'm not making this one up). This is usually securty by adding a second hidden field with a form of hash. This is made with a secret known to the payment provider and the server, but not available in the form. If you do some hash, say sha1(hiddenvalue + secret), add it, and compare after sending the form, you will get a different has (so no equality, so an error) if the hiddenvalue was changed.
