Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

WordPress How to Build a WordPress Plugin Building a WordPress Plugin Settings Page Working with Forms in a WordPress Plugin Settings Page

What benefits do a hidden field offer in terms of security?

Hi,

In this video Zac explains that the following code is used to ensure that the user has submitted the form:

<input type="hidden" name="wptreehouse_form_submitted" value="Y">

But after some searching on StackOverflow and other communities, I haven't come across an explanation as to why we need these hidden fields.

Zac goes on to use this code to sanitize input as well as to check if the form has been submitted:

if( isset( $_POST['wptreehouse_form_submitted'] ) ) {

    $hidden_field = esc_html( $_POST[ 'wptreehouse_form_submitted'] );

    if( $hidden_field == 'Y' ) {

   $wptreehouse_username = esc_html( $_POST['wptreehouse_username'] );
}

Why not just leave the hidden field out and use isset to check for the $wp_treehouse_username as opposed to using isset and sanitizing on multiple fields? Any additional information on security benefits are welcome thanks!

Ken Stone
Ken Stone
29,703 Points

I have the same question. I don't see the value in the hidden field.

1 Answer

In this example, the hidden field is just a sanity check. By its nature, anything submitted via HTTP is insecure and needs to be validated. So that means sanitize EVERYTHING on EVERY request.

For actual security practices, read up on WordPress nonces. They use hidden fields that correspond with server-side variables to validate a request. http://codex.wordpress.org/WordPress_Nonces

Igor Skoldin
Igor Skoldin
6,779 Points

That doesn't answer the question why the hidden field is needed. We sanitize the wptreehouse_username field the same:

if( isset( $_POST['wptreehouse_username'] ) ) {
    $wptreehouse_username = esc_html( $_POST['wptreehouse_username'] );
}

Your link describes using nonces, which is not the case. As far as I can see, nonces mostly needed to prevent multiple submitting of the same data and to make sure that it is your submitting, not of another user who does it at the same time.