Can people see or change the values in “hidden” form variables?
They sure can! The hidden variable is visible in the raw HTML that the server sends to the browser. To see the hidden variables, a user just has to select “view source” from the browser menu. In the same vein, there’s nothing preventing a user from setting hidden variables to whatever he likes and sending it back to your script. Don’t rely on hidden variables for security.