You have several options:
- You can use $ENV{HTTP_REFERER} (or more simpler $cgi->referer) to make sure that your script is being submitted from the right place.
- You could do a MD5 checksum of all the hidden fields to makre sure they haven't changed
- You could use something like CGI::EncryptForm to encrypt the data so it can't be changed
- You could not store anything in hidden fields and use sessions instead (see Apache::Session)
You definatly don't want to accept things like prices from form fields (I know of one major e-commerce system that does).
Hope this helps.
gav^