You should not expose a sensitive ID/data. there is no "security" practice doing that.
you should use a session variable, as @cmrrissey suggestion
@session_start(); #at before any outputscript
$_SESSION['userID'] = $senstiveId;
Also, You should not rely on the frontend validations. you must re-check/validate on your server, what is your end user sending to you.