I use routines similar to what you're doing, though I tend to explicitly write out the hidden fields, since our company doesn't use templates (sigh). One common problem with hidden data is that those hidden values can easily be tampered with. If that's not important to you, it's not a big deal. However, you could have problems if you rely on something like the following:

<input type=hidden name="price" value="42.95">
[download]

Then, it can be a trivial matter for someone to adjust the price value. Needless to say, if you have other data in those fields that you cannot afford to have altered, this can be a big problem. Try using Digest::MD5 or Digest::SHA1 (SHA1 takes longer, but it's more secure). Here's some sample code:

#!/usr/bin/perl -w
use strict;
use Digest::MD5 qw ( md5_base64 );

my $rand  = 'yed*73=1/+#@%d';
my $price = '40.95';
my @data  = ($rand, $price);

my $base64_digest = md5_base64( @data );
print $base64_digest;
[download]

That should print something like "BS1+1ySMDuN+fqp7hnMRYw".

Take the digest value and embed that in the form. When the values are returned, recompute the digest with the same $rand. If the values don't match, your hidden values have been tampered with. Needless to say, you want $rand to be as secure as possible!

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just go the the link and check out our stats.