Read this guide: http://phpsec.org/projects/guide/
Bye.

You should be able to use data from a url without any problem as long as it is sanitized, and if sensitive is checked against session data, e.g. delete a post - that should only be allowed by a mod/admin or the actual user him/herself if you want to grant that permission to users. Your code above is not secure.

Use prepared statements if possible (PDO), check input datatypes and ranges.

SEO - great use querystrings, but the only thing you really need to do is something like:

http://www.site.com?forum=17&thread=347

Or even

http://www.site.com?forum=17&thread=347#273648

or

http://www.site.com?forum=17&thread=347&post=273648

for a particular post

You could also use .htaccess files to rewrite your urls to something like http://www.site.com/17/347/273648

OK not the best example, but you get the idea.

The use of delete/edit etc may be better served with a form button (using POST method), thereby taking out the messy querystring. Just using post doesn't make the process any more secure. All $_POST variables must be considered suspect. Don't waste your time with fancy 'are they posting this form from my site or is it a spoof?' - most techniques don't work as actual headers themselves can be spoofed. The only 'simple' method I'd advise is using a random form token (hidden field) and checking it against a session value.

My 2p.

If you did not do any filtering on the users input, they maybe able to pass DROP upload -- by way of looking at the source code of your form. My wannabie hack codes can easily drop all of your upload table, if they just know where to look for an opening.

$query = "SELECT name, type, size, content " .
         "FROM upload WHERE id = '$id' DROP upload --";

This will get executed first,

$query = "SELECT name, type, size, content " .
         "FROM upload WHERE id = '$id'

followed by this

DROP upload --

The next thing we know, the entire upload table is gone. Honestly, I really hate discussing holes and hacks in public, because it teaches people how to do it, either for fun or for some unknown personal gratifications.

Try searching online.. I have a black book I downloaded long time ago when I was 13, I experimented with it,and it work really well. However, the main concept behind the book is for protection and not to cause harm to others.

Here are the classic login tricks to hack, and you must put great efforts on how to protect your codes..

admin' --
    ' or 1=1--
    admin'/*
    ' or 1=1/*
    ' or 1=1#
    ') or ('1'='1--
     ....
     admin' #
    ') or '1'='1--

no not really, you can always clean everything up, and then pass it on. Normally, people would do something like this..

somedomainDotcom/index?something=Whatever&page=somePage

Before passing the "Whatever" and "somepage" to the url, you can clean it up really well and do something like this

$something = base64_encode('Whatever');
$page = base64_encode('somepage');

and then on the processor page, you can pick it up by

$something = base64_decode($_GET['something']);
$page = base64_decode($_GET['page']);

A classic example of this is Google... take a look at their implementations..

As veedeoo states, the actual strings themselves aren't a problem, it's how you deal with them that really matters.

As far as your example goes, I can't see why you'd pass a thread string or a post string, as you now need to make the thread or post title unique in order to zero in on a specific post. IMO, you should use table id values to zero in on a thread or a post.

You can use the php filter functions to check datatype validity:

http://uk.php.net/manual/en/filter.examples.validation.php

But as I mentioned earlier, even if you are not using ORM, you can replicate this with a set of filtering functions for each input datum.

So, in other words - data will get to you in a number of different ways (cookies, get, post, external files?) and you won't be able to control some of those (get, post especially), so as opposed to worrying about what's passed, spend time on checking the data once it's arrived. :)

Make use of the mysql_real_escape_string() function to escape certain special characters: http://nl3.php.net/manual/en/function.mysql-real-escape-string.php

Also you can convert all HTML characters to their HTML encoded equivalents. For example < would become < This is done with the htmlentities() function: http://nl3.php.net/manual/en/function.htmlentities.php

You can decode this with the html_entity_decode() function: http://nl3.php.net/manual/en/function.html-entity-decode.php