If the input is not sanitized, an attacker could manipulate the URL (e.g., index.php?id=1' OR '1'='1 ) to alter the logic of the SQL query. This could allow unauthorized access to data or the database itself.
db.collection.find( _id: req.query.id ) // unvalidated inurl index.php%3Fid=