Is it safe to rely on the data of a html input field set to readonly? What is the purpose of a readonly field?
I know the disabled fields are not pushed to $_POST whereas readonly are? Essentially what I want is a dynamic value in my form that is unchangeable to the user.
Would it be more appropriate to place this in session or what options do I have?
EDIT:
As some below have mentioned storing this in session is a better idea, although after reading Storing objects in session I am concerned about performance and overloading the server with session data. Any suggestions? Would is be safe to just unset() any session data no longer needed. (Similar to memory management but on the session level? Delete what you do not need.)
Well it will work in the sense that users cannot put text into a readonly field. But anyone could forge a post with those fields modified easely.
So no its not a very good security.
For your other question you should give us more details about what you need that readonly field for. Maybe sessions are right for you maybe you do not need to do anything more then not write whatever`s in a readonly field to the db when the form is submited.