since in both cases you use method=post, go with version 2.
- URLs have a max length that you might hit with to many parameters (some thousand chars)
- List input fields are easier to manipulate with javascript (jQuery and alike)
- The usual user does not see all those ugly URLs
Just remember: hidden fields are hidden, but it´s a matter of seconds to access them. So never trust user data and always escape your data. "because I don't want actions to be triggered by URL" Always assume that all users are evil. If this link could cause damage, so could a form. Use some authentification.