Instead of ?id=, use random or hashed parameter names (security by obscurity as a secondary layer).
index.php?id=1; ls
index.php?id=1 | whoami
Rules to block ', ", --, union, select, ../, %00. inurl index.php%3Fid=
If you run a website and you suspect you might be vulnerable—or you simply see your URLs appearing in Google for index.php?id= searches—you need to act immediately. Instead of