If you can, hardcoding the values in the script or a config file is much safer. You might not be able to if the values depend on which page is doing the calling, or is coming from a select box.
With fixed form fields, your validation job is easier. You know exactly what values are present in the page and what their format is. You don't need to accept input from people who will enter all kinds of stuff. You don't have to worry about nice error message. If there is an illegal value in a hidden form field, either there is a bug or someone is making an attack.