Inurl Php Id1 | Upd

Never concatenate. Use placeholders.

This specifies the file extension. The target pages are built using PHP (Hypertext Preprocessor), a server-side scripting language still powering over 75% of websites that use a server-side language, including giants like Facebook and Wikipedia. The .php extension tells us the server is executing code before sending HTML to the browser. inurl php id1 upd

Furthermore, if id1=upd reveals an admin panel, the attacker has bypassed authentication entirely because the parameter acts as a backdoor. Never concatenate

http://target.com/article.php?id=1 UNION SELECT username,password FROM users -- if id1=upd reveals an admin panel