I'm not sure if there's really a way to make this more secure - but, this is what I have...
I have a form with a hidden field that retrieves a hashed user ID from a session, and then inserts that info into the hidden form field.
How can I make sure that a user doesn't change this info when submitting the form?
I'm guessing that it's impossible to guard against, since it's a hidden form field and a user could simply change either the session info or just the hidden form field data.
Why pass the value along if you're already tracking it in a session?
The answer is you can't, any values passed through a form are given to us from a client, so you need to validate everything yourself.
__________________
As of PHP 5.5, the MySQL library has been officially deprecated. It is recommended to move to either MySQLi or PDO libraries for your mysql connectivity. See here for help choosing which interface you prefer: http://php.net/manual/en/mysqlinfo.api.choosing.php
I have a registration page that takes the user to a payment page after successfully signing up.
When the user first registers, a random hashed user ID is generated for that user and then inserted into my database and into a session.
On the payment page, the user ID from the session is inserted into a hidden form field. This user ID is submitted to PayPal when the user makes their first payment. PayPal needs a custom user ID to update my records using the PayPal IPN.
In that case, I'd leave it as it is. If any user tries to tamper with the data it won't let them use the service even if they have paid, so it will be them that is losing out not you
In fact, if the op has their email, he can send them an email
asking them to play with the data again, maybe a few times ;-)
__________________
If you want to attract and keep more clients, then offer great customer support.
Support-Focus.com. automates the process and gives you a trust seal to place on your website.
I recommend that you at least take the 30 day free trial.
I hash the e-mail address from the registration page with a random salt, using SHA-1. Then I use that hash as the user ID for each user in the database.
So, I'm guessing it would be fairly hard for a malicious user to generate a hash (user ID) for an existing user anyways, right?
I was even thinking of using SHA-512, but that's probably taking it too far.
Before you post, read our: 
How can I improve the security of this?
