However, this is not very useful because anybody with fair computer knowledge can modify the source code of the form (by using Firefox addon Webdeveloper bar for example) and put there an arbitrary value so i would like to get the IP and store it in a place where the user cant see it, not even by looking at the source so it cant be modified. The same for the referrer.
I tried with session @session_start(); and it worked well at the beginning, or thats what i thought but seems like its not getting the referrer as it should. Could you please give me a hint?
I'd suggest that you have the PHP script that generates the form encode the user's IP address in such a way that it's not easily identifiable as an IP address and also use a name attribute that doesn't indicate the data is an IP address. Then the script that processes the form submission could decode the data and verify it with the referer's IP address.
The encoding doesn't need to be terribly complex. As long as it's purpose isn't immediately apparent, you should discourage a large percentage of hackers who would rather spend their time finding other more vulnerable scripts than attempting to defeat your code.
You haven't really made your purpose clear. But even if a user could modify the data and submit it to your script, even a simple encoding scheme would likely be too much trouble for them to figure out how to format the data properly in order to get your script to accept it.
As you suggested, you could store this encoded data in a $_SESSION variable instead of in a 'hidden' <input> tag. A hacker could generate his own session cookie and spoof the data, but he would face the same problem of having to figure out your encoding scheme. Good luck!