Cybercriminals rarely attack random targets manually. Instead, they use Google dorks to compile lists of highly vulnerable targets.
If the website trusts the input and does not check it, an attacker could change the URL to profile.php?id=1 AND 1=2 . If the page behaves differently (e.g., an error is shown or content disappears), it might be vulnerable. The attacker could then use more advanced techniques, such as appending UNION SELECT username, password FROM admins to try and extract data directly from other database tables. inurl id=1 .pk