In the case of a form submission, the read-only fields, hidden fields and dropdowns and sent to the server along with the text input fields. Ideally all these fields have to validated as a malicious user might have tampered with the source and changed any of the codes/names of these. Is it a standard practice to validate all the values on the server side in such a case ? Or is the validation of text fields is a good compromise ? What are the alternatives ? What are the standards people use etc to avoid such cases?
