The server returns: "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version..." Bingo. The attacker now knows the site uses MySQL and is vulnerable to injection.
Within minutes, the attacker has dumped the entire database: customer emails, hashed passwords, credit card numbers, and internal admin credentials. inurl pk id 1
An attacker goes to Google and types inurl:pk id 1 . Google returns 1,200 results. Among them is: https://www.example-shop.com/view.php?pk=1&id=1 The server returns: "You have an error in
$query = "SELECT * FROM users WHERE id = " . $_GET['id']; credit card numbers
For developers, the lesson is clear: For system administrators, the lesson is: Assume your site is already in some hacker's Google dork list.