why a disabled element can be enable by end user?

I Disable a textbox by c# code in an ASP.net Page with below code: Textbox1.Enabled=false; to prevent user changing a specific value. as you know Textbox开发者_如何学JAVA1.Enabled=false; in html mode will convert to disabled="disabled" css prpoerties. but unfortunately end user can remove this css properties by Firefox Firebug and enable the textbox and press the submit button and send the changed value to server. so what can I do?

You should never - ever - trust user input. Everything submitted via website form is user input. There is nothing you can do to prevent someone from submitting anything they very well please, and you should not even try.

Instead, you should check/validate those values on the server. If it's a value you just want to display to them, but not allow them to change, then just don't have your code-behind check the value at all... since you know it should not change.

If you are enabling/disabling that TextBox based on whether the user is an 'admin' or something... then you are doing it wrong.

The same as for any data that you get from the browser.

• Trust it only as much as you trust the user (and a bit less then that if you don't use SSL)
  • Untrusted users might be making an attack
  • Trusted users might be making a mistake
• Check that it is sane (if whatever condition that causes the field to be disabled holds true, then check that the field isn't submitted)
• Escape any data before you use it (e.g. for SQL before inserting it into a DB and for HTML before putting it in an HTML document).