<form method="POST" action="">...
$id = $_POST['data']; if(is_int($id)===FALSE )exit("HAKING"); $result = mysql_query("SELECT * FROM data WHERE id='.$id",$db); ... printf ("<img src='%s' />",$myrow["url"]);