参考代码:
登录界面index.php:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>你好!</title>
</head>
<body bgcolor="#FFF">
<div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center">
你好,请开始表演
<br>
</div>
<div align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0FC; text-align:center; width:400px; height:150px;">
<div style="padding-top:10px; font-size:15px;">
<!--Form to post the data for sql injections Error based SQL Injection-->
<form action="666.php" name="form1" method="post">
<div style="margin-top:15px; height:30px;">你好,请开始表演
</div>
<div style=" margin-top:9px;margin-left:90px;">
<input type="submit" name="submit" value="OK,查询" />
</div>
</form>
</div>
</div>
</body>
</html>
连接数据库sql-connect.php:
<?php
//including the Mysql connect parameters.
$dbuser ='root';
$dbpass ='';
$dbname ="security";
$host = 'localhost';
@$con = mysql_connect($host,$dbuser,$dbpass);
// Check connection
if (!$con)
{
echo "Failed to connect to MySQL: " . mysql_error();
}
@mysql_select_db($dbname,$con) or die ( "Unable to connect to the database: $dbname");
?>
跳转界面666.php:
<?php
include("sql-connect.php");
//include("333.php");
error_reporting(0);
echo
"<table border='1' id='tab'>";
echo "<tr>";
echo "<td>username</td>";
echo "<td>password</td>";
echo "</tr>";
for($i=1;;$i++){
echo "<tr>";
@$sql = "SELECT username, password FROM users WHERE id=$i";
//查询
$result = mysql_query($sql);
//获取查询结果
$row = mysql_fetch_array($result);
if($row)
{
echo "<td>$row[0]</td>";
echo "<td>$row[1]</td>";
//}
echo "</tr>";
}
else{
break;
}
}
echo "</table>";
?>