Can a form with a disabled <input type="submit"> be hacked to submit anyway?

Question

I'm just curious about the security of the <input type="submit" /> tag.

If I have a form (with method="post") with just one "Submit" button, which is disabled, and I haven't written any JS/AJAX/jQuery that affects the form, the button, or its other contents, could someone still find a way to submit the form?

Here's the code for a form along the lines I'm talking about:

<form method="post" action="processor.php" enctype="multipart/form-data">
<input type="text" name="foo" value="bar" />
<input type="submit" value="Submit" disabled="disabled" />
</form>

Thanks much!

Answer 1

Yes, I don't even need your form to submit it. I can use cURL or a similar library to just send a POST request as if it came from a form.

Always validate everything server-side, you don't always get what you expect.