<!DOCTYPE html PUBLIC"-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"/><title>Less-6 Double Query- Double Quotes- String</title></head><body bgcolor="#000000"><div style=" margin-top:60px;color:#FFF; font-size:23px; text-align:center">Welcome <font color="#FF0000"> Dhakkan </font><br><font size="3" color="#FFFF00"><?php//including the Mysql connect parameters.include("../sql-connections/sql-connect.php");error_reporting(0);// take the variablesif(isset($_GET['id'])){$id=$_GET['id'];//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'ID:'.$id."\n");fclose($fp);// connectivity $id='"'.$id.'"';$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";//这个和第四关相似,so我这里就简单一讲。//http://127.0.0.1/sqli-labs/Less-4/?id=-1" union select 1,2,3 --+//加工后:"-1" union select 1,2,3 --+"//sql语句相当于:SELECT * FROM users WHERE id="-1" union select 1,2,3 $result=mysql_query($sql);$row=mysql_fetch_array($result);if($row){echo'<font size="5" color="#FFFF00">';echo'You are in...........';echo"<br>";echo"</font>";}else{echo'<font size="3" color= "#FFFF00">';print_r(mysql_error());echo"</br></font>";echo'<font color= "#0000ff" font size= 3>';}}else{echo"Please input the ID as parameter with numeric value";}?></font></div></br></br></br><center><img src="../images/Less-6.jpg"/></center></body></html>