Validating form data using hidden fields
Unless the business will allow updating "bad" regexes on a daily basis and support someone to research new attacks regularly, this approach will be obviated before long.Rather than accept or reject input, another option is to change the user input into an acceptable format Any characters which are not part of an approved list can be removed, encoded or replaced.Otherwise, you are allowing attackers to repeatedly attack your application until they find a vulnerability that you haven't protected against.Detecting attempts to find these weaknesses is a critical protection mechanism.Essentially, if you don't expect to see characters such as ?or Java Script or similar, reject strings containing them.
However, simply preventing attacks is not enough - you must perform Intrusion Detection in your applications.
However, there are bad, good and "best" approaches.
Often the best approach is the simplest in terms of code.
Integrity checks must be included wherever data passes from a trusted to a less trusted boundary, such as from the application to the user's browser in a hidden field, or to a third party payment gateway, such as a transaction ID used internally upon return.
The type of integrity control (checksum, HMAC, encryption, digital signature) should be directly related to the risk of the data transiting the trust boundary. However, validation should be performed as per the function of the server executing the code.