I have made my code a lot more secure now, using sessions instead of cookies apart from this case and also using mysql_real_escape_string() and intval() but i left this in there incase i missed anything.