Let me get this correct -
1. B & M retailer has an account with wholesaler that is protected on the wholesaler's site by a login name and password.
2. Your solution allows this password to be exposed via a plain text hidden field in a form for the convenience of the customer, then when the customer submits it auto-logs in to the wholesaler site.
Is this correct?
If you expect that a hidden field is some sort of protection this is a VERY BAD IDEA. It' a foolish assumption to hope that only unaware customers will use your page. Remember rule one of forms: any input is a potential hack, including HIDDEN input.
Additionally it's taking the customer off-site by posting to the wholesaler's site, correct?
Here is how I would do this, and I would *only* do so on a secure SSL encrypted site:
1. Your customer form posts the requested items to a script on your server.
2. This script gets the login name and this password from an encrypted file or decrypts it from a database. It is now held only in memory.
3. Uising the command line program curl your script posts the login info and form data to the wholesaler's server. In case you don't know, curl posts to a url and the returned result is just as if you'd posted a form and it's data somewhere.
4. Based on the result you return a page to the browser, and you have the added bonus of the customer never having left your site.
curl will work in any language on a linux server. something like (perl below)
$result = `curl -d [login=somename&pass=pass&itemname=Blue%20Widgets] 'http://wholesaleexample.com'`;
And $result has the response from the server, it will be output like an html page.
Form -> script, script assembles variables -> curls URL -> parses result -> returns response to browser. All one process, nothing exposed to browser.