All php input had to be sanitized.  For example,

instead of just doing:
<code>
  $id = $_GET["id"];
</code>

change it to be something like:
<code>
if (isset($_GET["id"]) ) {
  $id = filter_input(INPUT_GET, 'id', FILTER_SANITIZE_STRING);
  if( preg_match("/^(al|ep)\d\d$/", $id) ) {
    $id = $id;
  } else $id = "";
} else $id = "";
</code>