$q = "SELECT id_utente FROM iscritti WHERE id_utente = " . (int) $_POST['mittente']; should avoid sql injection No, value (int) load only numeric int value, so no letters, if the string is on exemple "2lol" this load only 2