Welcome to the Treehouse Community

The Treehouse Community is a meeting place for developers, designers, and programmers of all backgrounds and skill levels to get support. Collaborate here on code errors or bugs that you need feedback on, or asking for an extra set of eyes on your latest project. Join thousands of Treehouse students and alumni in the community today. (Note: Only Treehouse students can comment or ask questions, but non-students are welcome to browse our conversations.)

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and a supportive community. Start your free trial today.

WordPress How to Build a WordPress Plugin Building a WordPress Plugin Settings Page Working with Forms in a WordPress Plugin Settings Page

What benefits do a hidden field offer in terms of security?

Hi,

In this video Zac explains that the following code is used to ensure that the user has submitted the form:

<input type="hidden" name="wptreehouse_form_submitted" value="Y">

But after some searching on StackOverflow and other communities, I haven't come across an explanation as to why we need these hidden fields.

Zac goes on to use this code to sanitize input as well as to check if the form has been submitted:

if( isset( $_POST['wptreehouse_form_submitted'] ) ) {

    $hidden_field = esc_html( $_POST[ 'wptreehouse_form_submitted'] );

    if( $hidden_field == 'Y' ) {

   $wptreehouse_username = esc_html( $_POST['wptreehouse_username'] );
}

Why not just leave the hidden field out and use isset to check for the $wp_treehouse_username as opposed to using isset and sanitizing on multiple fields? Any additional information on security benefits are welcome thanks!

Ken Stone
Ken Stone
29,701 Points

I have the same question. I don't see the value in the hidden field.

1 Answer

In this example, the hidden field is just a sanity check. By its nature, anything submitted via HTTP is insecure and needs to be validated. So that means sanitize EVERYTHING on EVERY request.

For actual security practices, read up on WordPress nonces. They use hidden fields that correspond with server-side variables to validate a request. http://codex.wordpress.org/WordPress_Nonces

Igor Skoldin
Igor Skoldin
6,779 Points

That doesn't answer the question why the hidden field is needed. We sanitize the wptreehouse_username field the same:

if( isset( $_POST['wptreehouse_username'] ) ) {
    $wptreehouse_username = esc_html( $_POST['wptreehouse_username'] );
}

Your link describes using nonces, which is not the case. As far as I can see, nonces mostly needed to prevent multiple submitting of the same data and to make sure that it is your submitting, not of another user who does it at the same time.