[eluser]Future Webs[/eluser]
what i do in this situation is ..
and im guessing that you have the users id stored along with the data that is being edited.
first up, when the page loads cross reference the users id from the session with the users id of the data being edited. if they dont match dont show the form and either redirect or show a notice of "your not allowed here, your IP has been logged etc"
I would also not store the users id as a hidden field in your form as people could see that in the source and maybe change it. Instead do this in the model or controller wherever you are building the array to pass to the update. Nobody has access to the model or controller and the array is not listening for any POST values for the users id and instead takes them from the session
The less you put in the form the better. If you can hard code it into the controller or model rather then passing it back and forth as a POST the less chance there is of anything being changed that should not be