Most of my website uses form buttons to navigate rather than the href
because I didn't like the idea of users seeing all the variables I am passing to the next page.

Is using the POST method and hidden fields really any safer than the href or can users still see all the variables if they want to ?
how ?
I would lile to understand the security issues a bit more :)

If a user wants to know the hidden field values, all they have to do is a "View Source". (And someone with a network sniffer between the user and your webserver can see either if it's not encrypted (i.e. SSL).

The basic rule of thumb is to use GET (URL query) if you're just requesting data, which allows the user to bookmark the result; and use POST if the result will alter data since that should not normally be bookmarked.

Ahh - so in an adverts site - the paging would best be done with hrefs so that a page could be book-marked -- maybe ??

Use of GET and POST should be based on one issue only and that is: "is there a lasting change". If the action causes a database to be modified, an email to be sent or a new Mercedes Benz to arrive on your doorstep use the POST method in all other cases use the GET method.

Neither method is more secure than the other.

Since POST sends data to the server that is not seen in the URL it should not be used for linking since it would be impossible to return to the same page by URL alone.