I'm fairly new to php and here is something I wonder what to do with.
For several functionalities on my site I have a php script which handles the actions after a user clicks something. i.e.:
<a href='/php/delete.php?id=xxx'>delete</a>
<form action='/php/handleregistration.php' method='post'></form>
In my code these links are easily visible as you view the source code, but looking at other websites' code these kind of references are much harder to find. I suppose most is handled by the same types of php scripts but through some javascript/jQuery.
So, my question is, Should I do this? Why and what's the best way to do it?
I don't believe you need to worry. You should always write secure code, and validate and sanitise your data before doing anything with it anyways. I.E: don't assume id=xxx is valid, as someone could manually type something knowing the script URL.
Most of the sites you see are probably using a framework or some sort of url rewriting. This makes the URL's look nicer (even scripts). It doesn't add much in the way of security though, this could be considered Security through Obscurity. It would do nothing more than prevent someone who doesn't know what they are doing from an easy attack. It would never stop a skilled attacker, and this is why security should be implemented on the server side.
Edit:
As a side note, you may want to use POST for delete just to prevent some nasty unforseen consequences. As Tim said, you should have a delete confirmation page, cause even if the user is logged in, it doesn't mean they are in control.
Imagine a website with an iframe set to width=0 and height=0 src=http://yoursite.com/php/delete.php?id=xxx
This would cause the logged in user to delete their account. (Or change password, charge credit card, etc) without their knowledge.
Of course changing GET to POST doesn't completely resolve this issues, but its one step of many to take in securing web apps.
Always enforce security on the server. Ultimately, it matters very little what is done on the client (the web browser).
However, you may want (strong recommendation to do so) to use different HTTP methods like GET, POST, PUT, and DELETE to better represent the operation. This may impact your markup/JavaScript slightly, e.g. putting your delete button in a form so you can use the HTTP DELETE method.
See http://en.wikipedia.org/wiki/Representational_state_transfer
It makes no difference. Anyone can view the Network tab of the browser Dev tools and see what gets sent to your server.
There is no security to be had on the client side, no matter how obfuscated your code is.
Instead, validate EVERYTHING on the server.
No. URIs are public information. They have to be sent to the browser for the browser to make a request to them. If the browser gets some information the user gets it too. Obfuscating URIs just makes your life harder when you have to debug things.
OTOH, what you should do is: