防止记录ID操作

I guess the obvious protection is to validate the ID before performing the delete to make sure the user has access to that record.

This is the only way to ensure that your user has access to delete these rows.

The downside of validating the ID requires more database queries which would be great to avoid.

Not necessarily. You can simply check when you're deleting to only delete rows that belong to your user.

For example, assuming your table structure looks similar to:

users
-----
id | username
1  | Dave
2  | John

products
-----
id | name | user_owner
1  | Milk | 1
2  | Cake | 2

So if Dave visited deleteproduct.php?id=2, the following query would execute:

DELETE FROM products WHERE id = 2 AND user_owner = 1;

It wouldn't delete anything, and $mysqli->affected_rows would return zero.

When affected rows is zero it means that the product ID was invalid or the product didn't belong to the user, either way: you would display a message telling the user that the product id is invalid.