When visiting other pages it never shows the URL params. It won't pass on that you had to do script.pl?this=that. It'll just show script.pl.

My access_log records show the parameters passed in a GET request, and the error_log shows the referer (sic) including the parameters if it was a GET request.

You are using obscurity to secure your script. Once the obscurity is gone, the security goes right with it. Obscurity can be much more difficult to maintain (perhaps approaching "impossible" for anything more complex than a crossover cable) than other methods once $badguy has access to the request path (see previous post in this thread). Maintaining this secure request path is expensive, error prone, and difficult. There are other, more economical solutions available.