Hidden fields are preferred to visible fields and far preferred to query string data, but hidden fields can still be modified. The user can save the form page on their desktop, modify the html source (and include the full http path in the form action) then use their browser to send the modified form on to the server. Do most people have that much time on their hands? Of course not. But it's still a risk. (As is a session hijack too.) Why not create some HEAP tables that will work as session tables, and just insert the data into the HEAP tables, then when you're done, do an INSERT INTO...SELECT to take the data from the HEAP table and store it in the real table (then DELETE the entries from the temporary HEAP table)? That way you're not passing the data page to page, but storing it as you go.
