This is vulnerable to SQL Injection because the variable $id has not protection. To avoid this we can use a PHP function, intval. To see what it does go here: http://www.php.net/intval
So if we use it:
$safe = intval($id); $query = "SELECT * FROM test_table WHERE id=$safe";
Another way is to make our query like this: $query = "SELECT * FROM test_table WHERE id='".$id."'";
Another way also is to use is_numeric():
if (is_numeric ($_GET['id']) ) { $query = "SELECT * FROM test_table WHERE id={$_GET['id']}"; } else { echo"Again nooby"; exit; }