Originally Posted by
MCP 
While a form using the post method is less obvious then the ?id=xyz in the url, they're both just as hackable. If you want to verify (assuming you're running windows), check out Microsoft Fiddler, and you'll see exactly what gets passed along to your server. What you'll find is that the post method will have the same plaintext id=xyz in it, and any newbie hacker will be able to change the xyz to whatever he/she pleases. Don't be fooled into thinking post is more secure because you can't see the id being passed.
Personally, I prefer the whatever.php?id=xyz version because it's easy to create, easy to debug, easy to change on the fly if I need to, and my pages don't do a "Are you sure you want to repost the data?" everytime you refresh a page that's the result of a form press.
What you need to do in either case is use sessions (or some other mechanism such as Apache's basic auth) to properly validate that the user is authenticated and has access to the page. Only then are you sure you can somewhat trust the data being sent back.
Cheers,
MCP
Good point! I really love the whatever.php?id=xyz, it's so easy. Sadly enough, I have put this project on hold for bit while I work on an automailing plugin for my wordpress site.
That project was spiraling quickly into a never ending abyss of code, which was just depressing me. I'm sure I'll get back to it some time, but it was just a personal thing for my wife, that she really didn't care about. But I'm sure I'll be using that function in there somewhere too, it's just so simple and easy to use. Thanks again for all your input.