PHP Code:
$id=$_GET['id'];
$result = mysql_query("UPDATE privatemsg SET prefix='' WHERE id='$id'")
Suppose someone alters the URL like ...id?=' AND DROP TABLE `users`");# or whatever.
You can use
PHP Code:
$id = (int) $_GET['id']; //if it's numerical or if it's not mysql_real_escape_string