Developing Web Applications

Hidden Form Fields

When you chain forms together to create a “Form wizard,” the information entered on each form needs to be stored until the last form has been filled in. There are three ways to pass values between ASP files:

• Accumulate information in the Session object.
• Append information to the end of the URL and use QueryString to pass it.
• Use hidden HTML form variables.

Sometimes the requirements of your application don’t permit you to store form data in the Session object, even temporarily. This might be the case for a large-scale site with thousands of concurrent users, where memory is at a premium.

Passing values on the URL works for small amounts of information, but will be insufficient when the quantity of data is large.

So, although the amount of information passed between the client tier and the middle tier increases, hidden form fields make it possible to include previously entered or application­specific information as part of the current form submission. A hidden form field isn’t displayed to the user, but is sent as a name/value pair when the form is submitted.

Note   You should avoid using hidden form fields to send back information that you are using for security or authentication purposes. Since they are available as text in the form body, these values can easily be “spoofed” by anyone who can view the HTML source. Even an unsophisticated intruder could develop a small routine to try many possible values, in an attempt to crash (or otherwise break) whatever server code is using the hidden value.

© 1997-1999 Microsoft Corporation. All rights reserved.