36 lines
1.0 KiB
PHP
36 lines
1.0 KiB
PHP
<?php
|
|
// Integer-based SQLi — no quotes, full pipeline (error/bool/union/time).
|
|
$dbh = @new mysqli(getenv('DB_HOST') ?: 'db', 'root', getenv('DB_PASS') ?: 'toor', getenv('DB_NAME') ?: 'newploit');
|
|
|
|
$id = $_GET['id'] ?? '1';
|
|
|
|
$sql = "SELECT id, username, email, role FROM users WHERE id=$id";
|
|
$row = null;
|
|
$err = '';
|
|
if ($dbh && !$dbh->connect_errno) {
|
|
$res = @$dbh->query($sql);
|
|
if ($res === false) {
|
|
$err = $dbh->error;
|
|
} else {
|
|
$row = $res->fetch_assoc();
|
|
}
|
|
}
|
|
?><!DOCTYPE html>
|
|
<html><body>
|
|
<h1>User profile #<?= htmlspecialchars($id) ?></h1>
|
|
|
|
<?php if ($err): ?>
|
|
<pre style="color:#c00">You have an error in your SQL syntax: <?= $err ?>
|
|
<?= htmlspecialchars($sql) ?></pre>
|
|
<?php elseif ($row): ?>
|
|
<p>User found:</p>
|
|
<ul>
|
|
<li>username: <?= htmlspecialchars($row['username'] ?? '') ?></li>
|
|
<li>email: <?= htmlspecialchars($row['email'] ?? '') ?></li>
|
|
<li>role: <?= htmlspecialchars($row['role'] ?? '') ?></li>
|
|
</ul>
|
|
<?php else: ?>
|
|
<p>No such user.</p>
|
|
<?php endif; ?>
|
|
</body></html>
|