44 lines
1.1 KiB
PHP
44 lines
1.1 KiB
PHP
<!DOCTYPE html>
|
|
<html>
|
|
<head>
|
|
<title>SQL Injection</title>
|
|
</head>
|
|
<body>
|
|
|
|
<form action="<?php $_SERVER['PHP_SELF']; ?>" method="get" >
|
|
<p>Give me book's number and I give you...</p>
|
|
Book's number : <input type="text" name="number">
|
|
<input type="submit" name="submit" value="Submit">
|
|
</form>
|
|
<!--Admin password is in the secret table. I hope, anyone doesn't see it.-->
|
|
<?php
|
|
$servername = "localhost";
|
|
$username = "root";
|
|
$password = "";
|
|
$db = "1ccb8097d0e9ce9f154608be60224c7c";
|
|
// Create connection
|
|
$conn = new mysqli($servername, $username, $password,$db);
|
|
|
|
// Check connection
|
|
if ($conn->connect_error) {
|
|
die("Connection failed: " . $conn->connect_error);
|
|
}
|
|
//echo "Connected successfully";
|
|
$source = "";
|
|
if(isset($_GET["submit"])){
|
|
$number = $_GET['number'];
|
|
$query = "SELECT bookname,authorname FROM books WHERE number = '$number'";
|
|
$result = mysqli_query($conn,$query);
|
|
$row = @mysqli_num_rows($result);
|
|
echo "<hr>";
|
|
if($row > 0){
|
|
echo "<pre>There is a book with this index.</pre>";
|
|
}else{
|
|
echo "Not found!";
|
|
}
|
|
}
|
|
|
|
?>
|
|
</body>
|
|
</html>
|