Best and secure way to send parameters in URL

You should worry less about what happens when people change parameters within the URL or try to hack something into your HTML (hidden fields), as much more you should worry about what your users are actually allowed to do.

If an admin is allowed to delete all posts for example, then it doesn't matter if he changes domain.com/post/delete/1 into domain.com/post/delete/42. If admins are supposed to delete everything they can. So let them just change it as much as they want to.

If admins however are only allowed to gain administrative privileges to their own entries, then you need to work this into your Service-Layer. The Service-Layer would check for permissions of the current user against the currently requested object. My personal favorite would be ZfcRbac.

If however you want to make it more difficult for people to actually change IDs, then you should give every entry a unique hash. So for example the url would be domain.com/post/delete/12acd-4a7f7c6-4a7f7c6-12acd-4a7f7c6 or something like that.

TL/DR don't worry what happens when people change stuff within the URL/HTML, simply worry about Authentication and Permissions in general.

You can change id to some_random_string (based on timestamp to make it unique) and search databese for that. There is no chance that user would guess that random string. And second check in controller that logged user have rights to CRUD actions.

You can use https://github.com/ZF-Commons/ZfcUser (with second module for Doctrine) to make auth and in controller you can check if user is logged

if ($this->zfcUserAuthentication()->hasIdentity()) {
    $user = $this->zfcUserAuthentication()->getIdentity();
    if($user->systemRole=='admin')//you can make switch for that
    {
      //can edit/delete/create
    }
}

To make this work you must copy UserEntity from that module and add systemRole. (check documentation for zfc-user for that)