FormAPI and Semantic Forgeries

It would be nice to go into more detail about semantic forgeries in the Form API.

  • It seems that a hidden value can be changed if the value of that hidden element is set with #default_value
  • If a user alters a select list or radios or checkbox they get an error - if they alter
  • A _submit function should only use values from the $form_statue['values'] and not from $_POST and not from $form_state['clicked_button']['#post']