in reply to
Modiying values in html form
In my humble opinion. It is best to use only the POST method within such forms, and simply drop
attempts submitted via GET. This greatly eliminates common methods to alter submissions via the
URL/Location field(s) in their web client (browser). eg;
While hidden fields aren't really hidden, should anyone simply choose View->Source, from their browser. It is fairly trivial to encode those fields via base64, or even sha256. All modern browsers will render those fields correctly. But a View->Source will reveal only seeming gibberish. While a savvy seasoned programmer/user might recognize the fields as being "packed". Is it really worth the bother?
Anyway. While it isn't ever really possible to completely secure online form(s)/form data. Things like this, that "raise the bar to entry" will usually thwart most attempts. If for no other reason being, that it simply doesn't seem worth the bother.