Never insert variables directly into your SQL queries. Use prepared statements with PDO or MySQLi to separate the query structure from the data.
When a PHP script uses id to specify a filename (e.g., ?id=about.php ), an attacker can traverse directories using ../../etc/passwd . The id=1 pattern here is a decoy; the actual value changes. inurl php id 1 2021
ID=2 | STATUS: LOUDER | BROADCASTING TO ALL Never insert variables directly into your SQL queries
The site is vulnerable.