I am still puzzled at how a question that is so obviously about shell scripting could be mistaken for a CGI question.

When people start talking about passing information around in %ENV, they're obviously talking about shell scripting.

About the security note, the issue with hidden form fields is not that users can read them, it is that users can set them. For instance take the common flub of putting prices in hidden form fields. Someone can save your page, edit the prices, and strike a special deal. Obviously you want the viewer to see what your prices are. But you don't want your viewer to set them, so you shouldn't use hidden form fields for that.