Ignorer l'ancien mysql_* trucs si vous le pouvez et utilisez PDO.
$pdo = new PDO('mysql:host=localhost;dbname=whatever', $username, $password);
$statement = $pdo->prepare('SELECT * FROM table WHERE pid=:pid AND ID=:id');
$statement->bindParam(':pid', $_GET['pid']);
$statement->bindParam(':id', $_GET['id']);
$results = $statement->execute();
var_dump($results->fetchAll());
