Let say I have a post from like this:
<form action="myApp/form_action.asp" method="post">
First name: <input type="text" name="fname" /><br />
Last name: <input type="text" name="lname" /><br />
<input type="submit" value="Submit" />
</form>
So, let say there is a really bad buy who want to do something in my application. For example, my form_action.asp not only accept param “fname”, “lname”, but also “gender”, can he/she make a request on their own , like this….
<form action="http://www.myDomain.com/myApp/form_action.asp" method="post">
First name: <input type="text" name="fname" /><br />
Last name: <input type="text" name="lname" /><br />
Gender: <input type="text" name="gender" /><br />
<input type="submit" value="Submit" />
</form>
****Updates:****
I don’t want the user submit the gender, because I don’t want to modify his/her gender after he/she assigned.
If he/she can submit this query, it there any way to avoid him/her to do so? thank you.
You’re thinking about this the wrong way. Forget about HTML forms. They’re not what your server handles. It handles HTTP requests.
And (pretty obviously) people can send you HTTP requests that contain whatever they want. Not just additional fields, but also fields with values that the form would not allow, or fields with names that are 5000 characters long and/or values that are that long.
So what you absolutely must do is define what constitutes valid input and reject input that isn’t. In your case, it’s pretty simple: if the form is not supposed to contain a “gender” field, then have the server ignore such a field, or abort with an error if it’s present.
Usually you don’t have to do anything to ignore fields. But you definitely have to write your app in such a way that it does not accept field values that are not valid.