So, given all of the recommendations provided by everyone in this thread, we ultimately understand that you want to send URLs to PHP script that then uses those URLs to do something involving banners. The banners part was not part of your original question. Your question was if it was secure enough, and we all agree that it isn't secure. Security is defined as
Sending URLs through a URL is not safe in that users can manipulate the resulting URL if they so pleased. So, at its surface, $_GET is not secure.
Let's take these URLs for example:
That URL contains three URLs. Now, if a user wanted to, they could change one of those variables with little to no effort at all. Also, it exposes where your banners would be located. Is that something you want the user to have access to? Is that something that you believe could compromise your PHP script?
If it doesn't matter to you that a user can manually edit the URLs, then $_GET should be fine. However, in the end, it depends on what exactly you want to do with those URLs. Are you going to have them displayed for users to click? Are you going to have them used as the source of a banner image? What do you plan on doing with these URLs?! That's the elephant of information in this thread that we've attempted to get from you. What will you do with these URLs in your PHP script?
Having said that, sending complete URLs through a URL as a variable may or may not function as you want it to. Take the following URL:
If you haven't noted what I did there, I'll explain it. Notice that the urlVariable value has a URL with a query parameter. This will break your URL and result in you not getting the proper data. The same issue applies when you then add a second URL to the URL string. Since there are two ? marks, the browser will interpret only up until that first ?. The rest will not be read correctly if at all.
To answer your question about htmlspecialchars, take a look at the manual, you'll see at the very beginning:
htmlspecialchars will not work because it does not convert the whole string to something useable. htmlspecialchars will not change the extra question marks. The best option is to use: htmlentities
$bannerURL = htmlentities($bannerURL);
$websiteURL = htmlentities($websiteURL);
$websiteName = htmlentities($websiteNAME);
This will get you the correct format for sending through a URL
On the myscript.php page, you would then decode those URLs into variables for your use using html_entity_decode()
$banner = html_entity_decode($_GET['bannerURL']);
You could then use that variable appropriately.
Now, after all of that, can you understand the insecurities involved with sending URL through URL variables? A user could manipulate that image source very easily. Then again, the "secure" part of how you use these URLs depends on what you are doing with them. We don't know. Assuming this method is used, you will need to first validate the URL to make sure nothing malevolent was added by the user manually. How you do that is up to you. Do you only want to accept URLs from certain domains? Do you want to make sure the syntax of one of the URL variables is correct? What do you want to happen?
In any case, if you haven't grasped what we've all been talking about by now, then you should probably outsource your project.