The URL thing sounds like a big pain, but you could make it secure – make it such that only the PHP webserver can access those URLs (either in the QuickBase configuration, or by running a firewall between the machines). Then write your PHP code very securely, paying close attention to validating user data and never allowing user input into the URLs unchecked and unescaped.
But like I said, not worth it. Use mysql, or pgsql, or if you’re up for learning something new, Zope looks interesting (and comes with a built-in object database).