g1smd - 3:03 pm on Apr 28, 2011 (gmt 0)
I don't use category in the URL for pages. A page might be linked from multiple categories, but they will all link to the exact same categoryless URL.
The product page links out to 3 or 4 cross-sell and up-sell items. It also links back to the categories that the page is listed in, by way of "Find more [gadgets] [widgets] [doodads]" links.
The product ID is the one canonical item that is unchanging, even when the title or category changes. However, with your security concerns, I think perhaps there's an easy way to hash that ID and make the actual db record number different, but related to, the publicly identifiable number. Food for thought. Is it any more secure to use "Red Widget FK252" as the database key though?
One of the first things the script does after receiving a request is to look to see if the ID, perhaps 12345, is a valid ID. If not, the 404 page is sent. If the ID is valid, the title is pulled from the db and compared to the title text found within the URL. If they don't match, then a 301 redirect is issued. If they do match, then the content is pulled from the db and served. This content includes the meta data and the on-page content such as links to images, prices, page text, as well as links to related categories and cross-sell and up-sell items and so on.