cryptichorizon

The short answer is yes. The value of hidden form variables can easily be changed to basically anything on the client side. You can't assume that what you put there is what you going to get back. You'll be fine if you follow good general security practices like validating the form data you receive and properly escaping values when you use them in SQL queries.