Oh right, I forgot to mention that. I could use a "get" instead, but that's inconvenient for other reasons. The user might input completely different values of x and y and mess things up. So I think it has to be "post".
The user can also put in completely different values for X and Y in a POST request. If you want real security, either fetch the results on behalf of the user yourself, and output them to the user (using LWP::UserAgent), or store the data in a session and pick up the data in the target from that session.