I wanted to pass a hidden variable at first with $_POST but i have come to realize that users can change $_POST almost as easily as $_GET. Is it possible to somehow restrict this ability or is there another way to do this? Also, it doesnt seem you can use $_POST in this simple example below?:

index.php

    <a href="test.php?variable=<?php echo $row['recipe_id'];?>"><view recipe</a>

test.php

    $variable = $_GET['variable'];
    $query = $database->query("SELECT name, description, date_added from recipe where recipe_id = $variable");

(EDIT: i do check that the input is indeed an integer although i skipped this above to minimize the code of the example. I should’ve made this clear earlier).
I guess the only borderline “malicious” things a user could do here is loop through the recipe_id:s to find out how many recipes were in the database or even the first recipe added just by changing the $variable. Not that i care in this particular case, but im sure i will when it comes to other examples. I realize that i want to make the information available, i just want it to go through the “proper channels” i guess. Is this just the way things are or am i missing something vital?

People always write things like “validate your input”. And i agree with that. But in this case its just one integer the user “inputs”. What can be done besides that validation? Again, im slowly progressing/learning this so please be patient if i seem to make simple mistakes.

(Using PHP, PDO, Mysql)
Thank you!