Certainly you can place limitations on the variables. You can't stop the user sending you anything they feel like, but you can certainly check them when you receive them, and only allow through the ones that are valid.
If there are only limited number of possible values for $item, you can make an array of them and check that the supplied $_GET['item'] is in the array:
$allowed_items = array('this', 'that', 'yonder', 'other');
if(!in_array($item, $allowed_items))
{
// the $item is invalid. Handle this according to whatever policy you have: E.g. set $item to something valid and harmless
}
Similar for $file.
If a field is supposed to be numeric and in a certain range, use [man]is_numeric[/man] and the comparison operators to check.
Later on, the fixed array could be replaced by something that examines (I presume) the filesystem to see what possible values for $item and $file there are, and then checks what the user sends against that.
