Well ... it's a good thing to think about, and if you found it yourself then all the better. You'll be looking for that kind of vulnerability when you are writing similar code.
The solution is going to depend largely on what data you are allowing the user to delete.
I mean, if you have a table where rows of data are linked to specific users, and you want each user to only be able to delete their own rows, and assuming that you're using sessions or something similar to carry the users ID from page to page, you could just change your query to something like ...
Code: Select all
mysql_query("DELETE FROM contact WHERE contact_ID=" . mysql_real_escape_string($_REQUEST['id'] . " AND user_ID=" $user_ID));
This way, your user could change the ID as they see fit, but their destruction wont affect anyone but themselves.
If, on the other hand, you're allowing the user to delete items that aren't related to them, then you could create a random value for each row and store it in a session, then when the form is processed, convert back from the random ID to the item ID and then perform the delete. It wouldn't eliminate the ability to change the code to another value, but they could only delete items shown on the source page, so they can't delete what they can't see. I mean, the ID wouldn't even have to be random ... you could just build an array and use the auto-generated keys in place of the item id.
The former is my preference though.
Cheers