in reply to CGI Security

Q41: Can people see or change the values in "hidden" form variables? does answer part of the second problem, but I do not know, or understand how a user can replace variables that are posted.

If the FORM uses the GET method, then the variables will be visible in the Location bar of the browser; A user could then simply edit them.

If the FORM uses the POST method, the user can save the page to their hard drive, edit the source to change the values, then submit from that edited version of the page.

Short answer -- Yes people can see and change values in "hidden" form variables.

In Section Seekers of Perl Wisdom