url parameters - how to hide them or any other more safe way of dealing with them

I use url parameters along with get for most of my pages but feel it's not so safe given that anyone can manually enter a parameter and influence the outcome of the page. i would like to eliminate this, is there any way how i could achieve this?

e.g.

<a href="deletepicture.php?pl=1450">Delete</a>

Now I don't want users to see this in their url field or even on the status bar of their browsers when they go over the link 'Delete'

It doesnt matter whether you use GET, POST, cookies etc, you simply cant trust data coming from the client.

You have to check that the user has the right to delete what is marked for deletion.

what if i disallow special characters in my form fields like ';' '<' ... do you think that would prevent any malicious code from being sent apart from verifying by the user login session whether he is authorised to delete the file

It's generally a really bad idea to have an anchor link for a "Delete" button in the first place.

You should replace it with a form post. This will discourage things like web-accelerator precaching clients from attempting to "prefetch" the "page" in case the user clicks it.

In any case, any input from the user is totally untrustworthy and must be checked for correct data type and legal values in all cases. This includes setting up all correct escaping or stripping before sending anything to a database.

Mark

Thanks Guys for the response!

So Mark, are you saying that I should have a Delete button instead of a link and that would make it a safer option?