PHP code

<?php
include "sql_and_php_debug.php";
mysql_connect("localhost""level33""Le/Sn6p3q+HrE12y5U8nLg==");
mysql_select_db("level33");

?>
<h1>Shop List</h1>
Try to dump the database through an SQL-injection<br/>(' is banned, " is banned, -- is banned, # is banned, /* is banned)
<?php
if (!isset($_GET['product_id'])) {
?>
<h2>Our products:</h2>
<?php
  $res debug_mysql_query("SELECT id, label FROM products");
  while ($row mysql_fetch_assoc($res)) {
    echo "$row[id] &mdash; <a href='?product_id=$row[id]'>$row[label]</a><p/>";
  }
} else {
?>
<h2>Product description</h2>
<a href='?'>&laquo; back</a><p/>
<?php
  if (preg_match('/\'|"|--|#|\/\*/s'$_GET['product_id'])) {
    echo "Hacking attempt! Denied.";
  } else {
    $res debug_mysql_query("SELECT * FROM products WHERE id = " $_GET['product_id']);
    $row mysql_fetch_assoc($res);
    echo "<h3>$row[label]</h3><p/>$row[description]";
  }
}
SQL debug

Shop List

Try to dump the database through an SQL-injection
(' is banned, " is banned, -- is banned, # is banned, /* is banned)

Our products:

1 — Headphones

2 — Spoon

3 — Flag

4 — Grocery list

5 — Carrots