Always validate ANY sort of input. vB passes the thread number via GET data, it is still safe because you validate it. Validation would consist of you checking in the database if that user (who should also be authenticated) is indeed the owner of the post.

The rule of thumb is that if it is data from the client side, assume its hostile.

__________________