Am I doing this wrong?

[such_a_noob]

I am going thru the code on my site before I launch it, trying to make sure I haven't left any gaping holes.

I am using an .htaccess file with this code: RewriteRule ^(.*)$ index.php?parameters=$1 [QSA,L] so that my url
looks like this: mywebsite.com/bananas/ripe/20 instead of mywebsite.com?pagename=bananas&website=ripe&picture=20
and, in the top of the index.php file, I am doing this:

$parameters = explode('/', $_GET[parameters]);
$_GET[pagename] = htmlspecialchars($parameters[0]);
$_GET[website] = htmlspecialchars($parameters[1]);
$_GET[picture] = intval(htmlspecialchars($parameters[2]));

My question is: can I now use $_GET[pagename] in my code, or is there another way for an attacker to do something
evil with my $_GET variables? Also, is htmlspecialchars enough doing it this way? I also do mysql_real_escape_string() with
any mysql selects.

Thanks!

[tremor77]

Wow sorry that no one has replied yet on this.. very good question and very well laid out... I'm at work right now so I can't devote the time it would take to appropriately respond so I will flag this thread for a later response.

On behalf of HTS I apologize for 2 weeks going by before someone responded to this one... because, like I said it's a good PHP/MySQL question that jives with alot of the fundamentals of hacking and security...