52 lines
		
	
	
		
			1.2 KiB
		
	
	
	
		
			PHP
		
	
	
	
	
	
			
		
		
	
	
			52 lines
		
	
	
		
			1.2 KiB
		
	
	
	
		
			PHP
		
	
	
	
	
	
| <!DOCTYPE html>
 | |
| <html>
 | |
| <head>
 | |
| 	<title>SQL Injection</title>
 | |
| </head>
 | |
| <body>
 | |
| 
 | |
| 	<form action="<?php $_SERVER['PHP_SELF']; ?>" method="post" >
 | |
| 		<p>Give me book's number and I give you book's name in my library.</p>
 | |
| 		Book's number : <input type="text" name="number">
 | |
| 		<input type="submit" name="submit">
 | |
| 	</form>
 | |
| 
 | |
| <?php
 | |
| 	$servername = "localhost";
 | |
| 	$username = "root";
 | |
| 	$password = "";
 | |
| 	$db = "db1";
 | |
| 
 | |
| 	// Create connection
 | |
| 	$conn = new mysqli($servername, $username, $password,$db);
 | |
| 
 | |
| 	// Check connection
 | |
| 	if ($conn->connect_error) {
 | |
| 	    die("Connection failed: " . $conn->connect_error);
 | |
| 	} 
 | |
| 	//echo "Connected successfully";
 | |
| 	if(isset($_POST["submit"])){
 | |
| 		$number = $_POST['number'];
 | |
| 		$query = "SELECT bookname,authorname FROM books WHERE number = $number"; //Int
 | |
| 		$result = mysqli_query($conn,$query);
 | |
| 
 | |
| 		if (!$result) { //Check result
 | |
| 		    $message  = 'Invalid query: ' . mysql_error() . "\n";
 | |
| 		    $message .= 'Whole query: ' . $query;
 | |
| 		    die($message);
 | |
| 		}
 | |
| 
 | |
| 		while ($row = mysqli_fetch_assoc($result)) {
 | |
| 			echo "<hr>";
 | |
| 		    echo $row['bookname']." ----> ".$row['authorname'];    
 | |
| 		}
 | |
| 
 | |
| 		if(mysqli_num_rows($result) <= 0)
 | |
| 			echo "0 result";
 | |
| 	}
 | |
| 
 | |
| ?> 
 | |
| 
 | |
| </body>
 | |
| </html>
 | 
