OK, but it could be done. SHA1 can't be decrypted, but it always encrypts the same, so you can compare the encrypted value in the database to the encrypted version of the submitted value to make sure they are the same in the database. However, your solution of just using the form element is probably better anyway for the reasons you stated.