All php input had to be sanitized. For example,

instead of just doing:

  $id = $_GET["id"];

change it to be something like:

if (isset($_GET["id"]) ) {
  $id = filter_input(INPUT_GET, 'id', FILTER_SANITIZE_STRING);
  if( preg_match("/^(al|ep)\d\d$/", $id) ) {
    $id = $id;
  } else $id = "";
} else $id = "";