Developer Docs - Developer Codex - Code Security

When accepting data back from a post-back, assume someone has tampered with it and re-validate it. In other words, never use an ID in a hidden field that you didn’t expect someone could change (they can change them).