Never display database errors to the browser. An attacker sees mysql_fetch_array() expects parameter 1... and knows they can inject. Use error_reporting(0); in production.
Always use PDO or MySQLi with prepared statements to prevent SQLi. inurl php id 1 free