The danger is not the id itself; it is . If the developer assumes the id will always be a safe number (like 123 ) and directly inserts it into an SQL query without validation, the application is vulnerable.