I just read further in the code, and there's ....
Code:
"DELETE FROM debiteur_configuraties WHERE configuratie_id=$configuratie_id"
There $configuratie_id the same variable as above.
So call this script with "?configuratie_id=%" and you just deleted all of our customers configuration setups stored in our database.
SQL injection was never easier.