Well yes in fact these java script injections are used in such manner to alter data. Let me give you example how would smeone bypass your security check if you have some as you said life cycle of the form.

So user on one page enters some data let's say it is his age, as he hits submit (I am assuming that no user elder then let's say 15 may enter) you save this variable in some hidden field and show him the code that he may not enter since he is younger then 15 years however since after his first click on submit button values sent will be let's say checked via your server php script and you will no longer after that check them but the problem now is that when you showed him next page you don't want him to continue that is the main reason why you provided the hidden field, and if user finds oout this he may use javascript injection to change the value of the hidden field variable and in such manner to pass he just needs to reload he page.

I know this is not quite good example however I hope you understand the point.

The simple solution would be to sttore the data in session or cookie this will in fact save data and you will be able to access the data via $_SESSION['nameofvariable'] and this data will be encoded also remember that this data can be changed as well as any data stored in the cookie

Hope I helped somewhat.