Decided to add my own answer which is basically based on @Sanjay Mohnani's answer.
if($_POST['delete']) {
//store the array of checkbox values
$allCheckBoxId = $_POST['checkbox'];
//escaping all of them for a MySQL query using array_map
array_map ('mysql_real_escape_string', $allCheckBoxId);
//implode will concatenate array values into a string divided by commas
$ids = implode(",", $allCheckBoxId);
//building query
$sql = "DELETE FROM t_s_list WHERE `s_id` IN ($ids)";
//running query
mysql_query($sql);
$NEW="Selected records Deleted";
}
Please remember, that whenever you use any value that came from the outside world ($_POST, $_GET, $_COOKIE, etc.) in a MySQL query, escape it beforehand. These values can be easily manipulated by malicious users. This type of attack is called SQL Injection. You can escape values using mysql_real_escape_string().
If you want to escape all the values in an array, you can use array_map(), which applies a function to all elements of an array.
You should also be careful when you output something that came from the outside world. For example you should never do echo $_GET['something'];, escape it properly for output (something like echo htmlspecialchars($_GET['something'])).
Never trust anything that comes from outside.
One more thing: in an HTML document, an ID can only be used on one element. In your code, all the checkboxes will have the ID checkbox[] which is not a good practice.
Please do something like:
<input name="checkbox[]" type="checkbox" value="<?=$row[s_id]?>" id="checkbox_<?=$row[s_id]?>">
which ensures that your elements have a different ID or don't use ID at all. When you post the form, only NAME will be posted, ID is for the client side only (can be used with CSS or Javascript for example).
