How to prevent SQL Injection for URL Parameter changing (DELETE Statement) PHP

Question

I have a code like below for DELETE entry by URL Parameter

<td><a href="deletecar.php?car_id=<?php echo $row_cars['car_id']; ?>" onclick=" if ( !confirm('Are you sure to DELETE?') ) return false; ">Delete</a></td>

And this is URL Parameter output

http://localhost/html/deletecar.php?car_id=17

But if i change car_id=17 to car_id=23(which is in an other users car list) it is deleting

How i can prevent this

deletecar.php is like below

<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  if (PHP_VERSION < 6) {
    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
  }

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}

if ((isset($_GET['car_id'])) && ($_GET['car_id'] != "") && (isset($_SESSION['MM_Username']))) {
  $deleteSQL = sprintf("DELETE FROM cars WHERE car_id=%s",
                       GetSQLValueString($_GET['car_id'], "int"));

  mysql_select_db($database_conn, $conn);
  $Result1 = mysql_query($deleteSQL, $conn) or die(mysql_error());

  $deleteGoTo = "myaccount.php";
  if (isset($_SERVER['QUERY_STRING'])) {
    $deleteGoTo .= (strpos($deleteGoTo, '?')) ? "&" : "?";
    $deleteGoTo .= $_SERVER['QUERY_STRING'];
  }
  header(sprintf("Location: %s", $deleteGoTo));
}
?>

And this is my table in database

INSERT INTO `car` (`car_id`, `c_id`, `c_brand`, `c_model`, `c_model_nd`, `c_model_year`, `c_color`, `c_capacity`, `c_owner`, `c_statu`, `c_show`) VALUES
(16, '34DA1593', 'Volkswagen', 'Volt', '313 CDI', 2006, 'Beyaz', '', 18, 'yakamozturizm', 'Boş', 0),
(17, '34BC5897', 'Mercedes', 'Sprinter', '313CDI', 2006, 'Gri', '', 14, 'PcRestorer', 'Boş', 0),
(18, '34DBC145', 'Volkswagen', 'Volt', '213 CDI', 2013, 'Beyaz', '', 16, 'PcRestorer', 'Boş', 0);

Edit....

i have changed my code like that

$colname_delete = "-1";
if (isset($_GET['car_id'])) {
  $colname_delete = $_GET['car_id'];
}
$owner_delete = "-1";
if (isset($_SESSION['MM_Username'])) {
  $owner_delete = $_SESSION['MM_Username'];
}

if ((isset($_GET['car_id'])) && ($_GET['car_id'] != "")) {
  $deleteSQL = sprintf("DELETE FROM minibusler  WHERE car_id = %s AND c_owner =%s", 

GetSQLValueString($colname_delete, "int"),
GetSQLValueString($owner_delete, "text"));

  mysql_select_db($database_conn, $conn);
  $Result1 = mysql_query($deleteSQL, $conn) or die(mysql_error());

  $deleteGoTo = "myaccount.php";
  if (isset($_SERVER['QUERY_STRING'])) {
    $deleteGoTo .= (strpos($deleteGoTo, '?')) ? "&" : "?";
    $deleteGoTo .= $_SERVER['QUERY_STRING'];
  }
  header(sprintf("Location: %s", $deleteGoTo));
}

It looks working do you think it is secure way to do that

Thanks For Your HELP

Answer 1

to make it less bloated

if (empty($_SESSION['MM_Username'])) {
  exit; // take appropriate action here
}
if (empty($_GET['car_id'])) {
  exit; // take appropriate action here
}

mysql_select_db($database_conn, $conn);
$sql = sprintf("DELETE FROM minibusler  WHERE car_id = %s AND c_owner =%s", 
                GetSQLValueString($_GET['car_id'], "int"),
                GetSQLValueString($_SESSION['MM_Username'], "text"));
mysql_query($sql, $conn) or trigger_error(mysql_error());

header("Location: myaccount.php");
exit;

Answer 2

In any case before deleting a car you should check that if it belongs to the current user. If not display a suitable message.