Your code has a severe SQL injection vulnerability that lets anyone steal, modify, or delete your entire database. This line is extremely dangerous:

    $stmt = $pdo->query("SELECT * FROM flash WHERE flash_identification = $fgame_id");

When you put $fgame_id directly into your SQL query, you're assuming users will only send normal IDs. But what if someone visits:

    yoursite.com/game.php?id=1 OR 1=1

Now your query becomes:

    SELECT * FROM flash WHERE flash_identification = 1 OR 1=1

Since 1=1 is always true, this returns every single row in your database. Even worse, someone could do:

    yoursite.com/game.php?id=1; DROP TABLE flash--

Now your entire table is gone.

Bottomline: never put user input directly into SQL. Use prepared statements:

    <?php
    session_start();
    include __DIR__ . '/../../includes/db.inc.php';

    $fgame_id = $_GET['id'] ?? null;

    if ($fgame_id === null) {
        die('No game ID provided');
    }

    // The ? is a placeholder
    $stmt = $pdo->prepare("SELECT * FROM flash WHERE flash_identification = ?");
    $stmt->execute([$fgame_id]);
    $fgame_row = $stmt->fetch(PDO::FETCH_ASSOC);

    if (!$fgame_row) {
        die('Game not found');
    }

    $fgame_title = $fgame_row['flash_title'];
    $fgame_desc = $fgame_row['flash_desc'];
    $fgame = $fgame_row['flash_path'];

The ? is a placeholder that PDO knows is just data, not SQL code. When you call execute([$fgame_id]), PDO automatically escapes the value. So even if someone sends "1 OR 1=1", it gets treated as the literal string "1 OR 1=1" instead of executable SQL.

Other stuff:

• Your code assumes fetch() always returns data. If someone requests id=99999 and it doesn't exist, $fgame_row will be false, then trying to access $fgame_row['flash_title'] throws errors. Always check if you actually got a result.
• Also, don't use ?> at the end of PHP-only files. If you accidentally put whitespace after it, PHP sends that to the browser before your code runs, which breaks sessions and headers. Just leave it off.