[Forminator Pro] Are forminator hidden fields protected from change in the browser?

Are forminator hidden fields protected from change in the browser, i.e. can we be sure that the hidden value will be unchanged submitted?

  • Pawel
    • Staff

    Hello kk!

    Hope you’re having a good day today!

    Forminator uses normal hidden input fields to store hidden values. Being hidden doesn’t mean that the field is used to store sensitive or “secret” data – that’s not the reason for hidden fields at all. They are used to send mostly “technical” information that’s not important to the end-user but very important for the processing of the form.

    So there’s no checking or protection from change before the form is submitted on hidden fields. Not only in Forminator, but also anywhere on the web. I haven’t seen a form where someone would protect hidden fields from being changed.

    Someone can for example use Chrome dev tools to edit the form manually and change the value of a hidden field, you can’t do a lot about that because that’s not important – usually if someone changes a value like this, the form won’t save. What’s important is the validation after submitting and this is where the hidden field value should be validated.

    I’m not sure about your current use case or the scenario you’re planning to implement. If you can share some more details, we can give you some more on point instructions what you can do here. Please let us know and we’ll be happy to assist you :slight_smile:

    Kind regards,

    Pawel

  • kk
    • The Incredible Code Injector

    Okay, thanks!

    You say:”What’s important is the validation after submitting and this is where the hidden field value should be validated.”

    So the question is:does the forminator saves the value offered to the user, does it compare that value with the submitted value and does it discard the submission in case the values differ.

  • Pawel
    • Staff

    Hello kk!

    I just double checked on my test site to confirm. I added a simple contact form with hidden field (IP address) and edited the value to change my IP to “1.1.1.1”. After submitting, the value I put by hand was saved in the submissions section, only validating if the value matches a valid IP address.

    I asked our Forminator developers for pointers about implementing validation – I’m currently waiting for a response from them and will update you as soon as they reply.

    Kind regards,

    Pawel

  • Pawel
    • Staff

    Hello again kk!

    Our team replied with a hint for you on how to implement custom validation of the forms. Forminator has a custom filter forminator_custom_form_submit_errors set up that allows you to parse the submitted info before it’s saved. You can find it in library/modules/custom-forms/front/front-action.php, line 634 in Forminator plugin files.

    To use it, you will need to create a custom filter like this:

    add_filter('forminator_custom_form_submit_errors', 'my_custom_form_validation', 10, 3);
    function my_custom_form_validation($submit_errors, $form_id, $field_data_array) {

    // your validation code goes here
    // if there are errors, you add them to $submit_errors

    return $submit_errors; // this filter must return this
    }

    As I said, this is an advanced feature that requires a bit of custom coding and knowledge of PHP to use.

    Hope this helps!

    Kind regards,

    Pawel

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.