There are two issues with your code, one security, one syntax.
First you allow injection of SQL code because you are not validating or filtering the GET, and it is the easiest to abuse since you only have to add ? Id = ''); DROP table users; -
I recommend using the functions filter_var
or better yet: filter_input
$filteredId = filter_input(INPUT_GET, 'id', FILTER_SANITIZE_NUMBER_INT);
// te devuelve el entero si pasa el filtro,
// o false si no lo pasó, entonces puedes
// rechazar la entrada o abortar
if(is_null($filteredId) || $filteredId === FALSE) {
exit('Dato no valida');
}
// ahora sí, usamos el dato filtrado
Now with the syntax issue, to interpolate the variable is correct if it is scalar (it is not an array) to do so, as in your code:
$sql = "SELECT * FROM categorias WHERE categoria_id='$filteredId'";
But if you really want to pass the member of an array, it's easier:
$sql = "SELECT * FROM categorias WHERE categoria_id='$array[id]'";
And we insist: avoid at all costs accept variables that users can manipulate, without filter or validation.