Front-End code exposed
Overall, what the user can do?
If you made a field hidden, it's only
hidden for your average user, but we can easily change the value of the hidden field.
Ex: you stored the ID of my account in the form to edit my profile, what if I put someone else ID inside? In the first place, this ID should be in the
$_SESSION, so that was a pretty bad move 😶.
If a field is required, or you added a script in JS to check the form, the user can remove or bypass anything. You have to test everything again in PHP. You will do it once in HTML/CSS for the normal users, and another one for the "hackers".
You should never make HTML comments in your code (as anyone can read them). Instead, developers are making PHP comments like this
<?php // some comment ?>