Originally Posted by AndrewGSW
Added: to pass a simple array of ids (integers) as a string I would prefer implode() and explode() which have less overhead than serialize().
Actually I'm going to support this over my serialize suggestion as it would be easier and simpler to implode an array into a string for the form and then explode it into an array for processing.
The only slight risk is that someone could modify it before transmission whereas with a serialized array string it's not as easy to understand from the laymans POV.
Also Deb, remember in your SQL to use "where user = '<users id>'" along with your where / id clause otherwise a malicious user could supply their own message IDs and wipe out another users inbox.