Validating form data using hidden fields
Data from the client should never be trusted for the client has every possibility to tamper with the data.
In many cases, Encoding has the potential to defuse attacks that rely on lack of input validation.
Note that you should proceed to validate the resulting numbers as well.
As you see, this is not only beneficial for security, but it also allows you to accept and use a wider range of valid user input.
All sections should be reviewed The most common web application security weakness is the failure to properly validate input from the client or environment.
The account select option is read directly and provided in a message back to the backend system without validating the account number if one of the accounts provided by the backend system.
An attacker can change the HTML in any way they choose: rather than account names.
This is a dangerous strategy, because the set of possible bad data is potentially infinite.
Adopting this strategy means that you will have to maintain the list of "known bad" characters and patterns forever, and you will by definition have incomplete protection.