25 Killer Combos for Google's Site: Operator (6 with "inurl")
Use tools like sqlmap (with permission) to automate testing: inurl indexphpid upd
Implement a whitelist for the id parameter: 25 Killer Combos for Google's Site: Operator (6