In the majority of cases, client-side validation of user input has beneficial

If an element on an HTML form is flagged as disabled, it appears on-screen but

is usually grayed out and is not editable or usable in the way an ordinary con-

trol is. Also, it is not sent to the server when the form is submitted. For exam-

ple, consider the following form:

This includes the name of the product as a disabled text field and appears on-

screen as shown in Figure 5-5.

Figure 5-5:  A form containing a disabled input field

The behavior of this form is identical to the original example: the only para-

meters submitted are 

quantity

price

abled field suggests that this parameter may originally have been used by the

application. Earlier versions of the form may have included a hidden or

editable field containing the product name. This would have been submitted

to the server and may have been processed by the application. Modifying the

name of the product may not appear to be as promising an attack as modify-

ing its price. However, if this parameter is processed, then it may be vulnera-

ble to many kinds of bugs such as SQL injection or cross-site scripting, which

are of interest to an attacker.