XSS | SQL injection

{% else-1 %}

[мошенник] 8.5

(29 май 2014, 17:34) (1/0) [1]

$id = intval($_GET['id']);
$msg = htmlspecialchars(mysql_real_escape_string($_POST['msg']));