This is my first post in my mini-series about form security. If you missed it, you can read about the introductory post to the series here.

This post is focusing on disabled forms. It will cover all aspects of disabled forms – when/why to use them, what they do, and how to keep them secure.

Disabled forms – when and why?

A disabled form element can be any type of form element. By adding the disabled="disabled" attribute to any form element, you can create a disabled form element.

Here’s a few instances where you would use disabled forms:

1. Displaying information that can never be changed. For example, if you want users to see their email address when editing their profile, but you don’t want them to change it, use a disabled form.
2. Displaying information that sometimes can be changed. With the power of JavaScript, you can change a text input to a disabled input, and vice versa. You can read more about this here.

Disabled forms – what do they do?

Disabled form elements are designed to be read-only. A user can see the value of the input, but they can’t change it.

It’s not impossible to change it, though. There are many ways to get around it. Here’s a few examples:

1. JavaScript run through your browser
2. Browser plugins (such as Firebug)
3. External form that submits to your URL

These are probably the most common ways. It’s impossible to stop people from using these methods. It is very possible, though, to write a script that can handle all of these techniques and keep people from changing data that they shouldn’t.

Disabled forms – be secure

When creating a script that handles form submission, you should assume that form data will be tampered with. Here’s a few ways to keep disabled forms secure:

1. If the inputs are permanently disabled, don’t include code to update the values. Just ignore the fact that the inputs are there.
2. If the inputs are conditional (they may become disabled or enabled depending on the values of other form elements), be sure to write fool-proof code. You shouldn’t rely on JavaScript at all – your script should look at all of the form data itself and determine what should have been disabled.

In conclusion, just be safe about any disabled forms. If you understand the fact that they can be changed, make sure that you script can handle that.

In the next posts, we will go over security for other form elements. We will also talk about different ways to manipulate forms yourself. Be sure to subscribe so that you don’t miss the next post!

Thanks for reading!

Tags: Disabled Forms, Form Manipulation, User Input