How to set readonly / disabled input via php?

Question

I have a form that allows the user to change name, surname, password etc. So, I have an email field disabled, I don't want to allow the user to change the email in the account settings, so I disabled the input with the disabled html parameter. However, it can be easily bypassed, just go to google console and delete the disabled parameter in the html to change the email input and send the request.

I cannot create a fake email field as the form communicates with a plugin, so the email input must necessarily be present. I thought about disabling it with php as this can't be seen in the html but I'm not sure how to do it and I'm not sure if it's the right method.

How could I disable the form input making it inaccessible to the user and prevent it from being modified with some cheating?

<form name="Form" class="mts-edit-account" action="<?php echo admin_url('admin-ajax.php'); ?>" method="post" enctype="multipart/form-data" <?php add_action( 'woocommerce_edit_account_form_tag', 'action_woocommerce_edit_account_form_tag' );?> >

  <div class="form-row email_show">
    <label class="t3" for="disabled_account_email">Email</label>
    <input type="email" class="field-settings disabled" style="pointer-events:none;" name="account_email" id="account_email" disabled value="<?php echo esc_attr( $user->user_email ); ?>" />  
    <span class="t4-light">Description..........</span>
  </div>

</form>

Answer 1

Your requirements are, unfortunately, impossible due to the design of the web - your code can not control what the user can do, it can only suggest what they should do, and detect what they have done.

I cannot create a fake email field as the form communicates with a plugin, so the email input must necessarily be present.

If you want the the user's browser to send data directly to the plugin, then that data is under the user's control. If necessary, the user can write an entire HTML form of their own, and submit that; or just use a script to create a request that looks indistinguishable from one a real browser would generate.

So, you are right that you need to do something on the server-side, but that needs to be after the form is submitted, not before. For instance:

• before passing the data to the plugin, overwrite the value of this field in the $_POST array (or whatever form the input takes at the point you intercept it) with the required value
• rather than letting the plugin handle the form directly, write your own form handling code that manipulates the data, then call some function in the plugin directly with your manipulated data