You could store their current position, and then compare that to the new position (on the new URL), and make sure that it is a valid move that they can make.
I did figure out a way to do it withoiut using GET; instead I added three new colums to the maps table, and summoned the right map using the zone number from the characters table. Nowhere near as flexible, but much more secure.
I have a different oppinion on the security through obscurity thing. I think it can work to keep out the "children" cheaters. You know, the ones that really don't know anything, but know the little tricks that almost everyone knows. If I change a query string from ?username=Frank and encode it to something similar to: ?3wewfho3234we=2l4645dsaa3sadf And say my encode / decode functions are of course exactly the same, and proper checks are done on the php page IE if ($username == "frank") { } elseif ($username == "bob") { } If the user changes the query strings value from 2l4645dsaa3sadf to even something remotely close like 2l4645dsbb3sadf it will be a way off to what the script is looking for. Yes, I know this would not keep out the pro's, but it would be enough to get rid of a few that could do damage otherwise. Think, if this is a number and the number ends up being 8 characters long encoded and it must match something else in a query lets say, they would have a need in a haystack chance of finding that.