You could add an extra field consisting of an encrypted* checksum of the existing fields. This will allow you to detect tampering and that data came from your own script since only your script knows the key used to encrypt and decrypt the checksum.

Alternatively (and more commonly used), you could store a session id instead of the data in the hidden fields. On the downside, this requires some sort of database to hold the data associated with the session. The security in this method comes from the near impossibility** of guessing the long session ids of active sessions.

* – A symetric encrpytion algorithm, such as Crypt::Rijndael, would be ideal.

** – If you're using 128 bit session ids, and there are 1024 (2¹⁰) active sessions on your site, the attacker has a 1 in 3.3*10³⁵ (2^(128-10)) chance of guessing an active session id.