The user can also put in completely different values for X and Y in a POST request. If you want real security, either fetch the results on behalf of the user yourself, and output them to the user (using LWP::UserAgent), or store the data in a session and pick up the data in the target from that session.