You’re wide open to SQL Injection attack there as the user submitted data being sent to mysql isn’t being escaped. If the id is always going to be numeric then use (int) to typecast it as an integter, anything that isn’t an integter will result in a value of 0.
The mysql_* extension that you’re using was deprecated in version 5.5 of PHP and is being removed in version 7 of PHP. You should now be using either the mysqli_* extension or PDO (whichever of them two you migrate to, you should always use prepared statements when sending any data to the database.) PDO has the advantage of allowing named parameters.