Hi everyone, this is second time I am getting hacked with this code:

This is my home page index.php
PHP Code:
// index.php
<form action="insert.php" >
<?php     
     
    
if(!empty($_SESSION['name']))
    {
    
        
$name =  $_SESSION['name'];
        
        echo 
"<input type=\"text\"  name=\"name\"   value=\"".$name."\">"
    }else {
        echo 
"<input type=\"text\"  name=\"name\"   value=\"\">"
    
    }
    
    if( !empty(
$_SESSION['title']) )
    {
    
$title $_SESSION['title']);
        echo
"
               <input type=\"text\"  name=\"title\"  value=\""
.$title."\">";     
    }
    else
    {
        echo
"
               <input type=\"text\"  name=\"title\"  value=\"\">"
;
    }


    if( !empty( 
$_SESSION['phone']) )
    {
        
        
$phone $_SESSION['phone']; 
        
        
        echo
"<input type=\"text\"  name=\"phone\" value=\"".$phone."\">";
            
    }else{
        echo
"<input type=\"text\"  name=\"phone\" value=\"\">";

    }
    
?>
    </form>
This one is the processor insert.php

PHP Code:
     ///       insert.php
     
$name $_POST['name'];    
     
$title $_POST['title'];
     
$phone $_POST['phone'];
         
        
$sql =$db->prepare("INSERT INTO test  VALUES ( :name, :phone, :title)");
    
    
$sql->execute( array(':name'=>$name':phone'=>$phone':title'=>$title    ) )or die(print_r($sql->errorInfo(), true)); 
And finally the page that retrieves the data from DB show.php

PHP Code:
 /// show.php
   
   // The data is shown here
       //Get post id
    
if( isset($_GET['id']) )
    {
    
        
$id = (int) $_GET['id'];
        
        if( 
$id == )
        {
            
redirect("index.php");
            exit;    
        }
            
    }    
    else
    {
    
redirect("index.php");
        exit;
    }
    
    
   
$sql $db->prepare("SELECT * FROM test WHERE id = :id");
       
/*** bind the paramaters ***/
    
$sql->bindParam(':id'$idPDO::PARAM_INT);
    
/*** execute the prepared statement ***/
    
$sql->execute();

    
/*** fetch the results ***/
    
$result $sql->fetchAll();
        foreach(
$result as $row)
        
    {        

        
$id $row['id'];
        
$name $row['name'];
        
$title $row['title'];
        
$phone $row['phone'];
        } 
The code is bigger than this, but it pretty much the same method.
So the hacker was nice, and he/she said "FIX YOUR CODE". I don't even have a login system!! So, what could be wrong with this code??? I thought PDO is the king in filtering/sanitizing inputs!!

Any help will be appreciated
Thanks