On my site, I use a lot of $_GET which is obviously an ideal opportunity for hackers to code inject
However, When querying or updating mysql, I also use the following method
$user = $_SESSION['user']; $query = "SELECT * FROM `members` WHERE `username` = $user LIMIT 0,1"
As you can see, it will only query the row that has a username equal to $user
Now, what are the chances of a hacker spoofing the session to make it equal what ever they want