Whenever you are passing data around either in hidden form fields or cookies, it is a good idea to sign it to make sure you get back exactly what you generated. ]]> $value) { $str .= $key.$value; } if($_POST['hash'] != md5($str.$secret)) { echo "Hidden form data modified"; exit; } ?>]]>