To achieve this, modern PHP frameworks (such as Laravel) or Content Management Systems (like WooCommerce or Magento) use and server rewrites (via .htaccess in Apache or nginx.conf ).

Because the script blindly trusts whatever is passed into $_GET['id'] , an attacker can manipulate the URL to alter the database command.

When you search for php?id=1 shopping , you are essentially looking at the "skeletons" of thousands of different online stores.