44 lines
		
	
	
		
			1.1 KiB
		
	
	
	
		
			PHP
		
	
	
	
	
	
			
		
		
	
	
			44 lines
		
	
	
		
			1.1 KiB
		
	
	
	
		
			PHP
		
	
	
	
	
	
| <!DOCTYPE html>
 | |
| <html>
 | |
| <head>
 | |
| 	<title>SQL Injection</title>
 | |
| </head>
 | |
| <body>
 | |
| 
 | |
| 	<form action="<?php $_SERVER['PHP_SELF']; ?>" method="get" >
 | |
| 		<p>Give me book's number and I give you...</p>
 | |
| 		Book's number : <input type="text" name="number">
 | |
| 		<input type="submit" name="submit">
 | |
| 	</form>
 | |
| 	<!--Admin password is in the secret table. I hope, anyone doesn't see it.-->
 | |
| <?php
 | |
| 	$servername = "localhost";
 | |
| 	$username = "root";
 | |
| 	$password = "";
 | |
| 	$db = "1ccb8097d0e9ce9f154608be60224c7c";
 | |
| 	// Create connection
 | |
| 	$conn = new mysqli($servername, $username, $password,$db);
 | |
| 
 | |
| 	// Check connection
 | |
| 	if ($conn->connect_error) {
 | |
| 	    die("Connection failed: " . $conn->connect_error);
 | |
| 	} 
 | |
| 	//echo "Connected successfully";
 | |
| 	$source = "";
 | |
| 	if(isset($_GET["submit"])){
 | |
| 		$number = $_GET['number'];
 | |
| 		$query = "SELECT bookname,authorname FROM books WHERE number = '$number'";
 | |
| 		$result = mysqli_query($conn,$query);
 | |
| 		$row = @mysqli_num_rows($result);
 | |
| 		echo "<hr>";
 | |
| 		if($row > 0){
 | |
| 			echo "<pre>There is a book with this index.</pre>";
 | |
| 		}else{
 | |
| 			echo "Not found!";
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| ?> 
 | |
| </body>
 | |
| </html>
 | 
