<?php
  
include "../../config.php";
  if(
$_GET['view_source']) view_source();
?><html>
<head>
<title>Challenge 49</title>
</head>
<body>
<h1>SQL INJECTION</h1>
<form method=get>
level : <input name=lv value=1><input type=submit>
</form>
<?php
  
if($_GET['lv']){
    
$db dbconnect();
    if(
preg_match("/select|or|and|\(|\)|limit|,|\/|order|cash| |\t|\'|\"/i",$_GET['lv'])) exit("no hack");
    
$result mysqli_fetch_array(mysqli_query($db,"select id from chall49 where lv={$_GET['lv']}"));
    echo 
$result[0] ;
    if(
$result[0]=="admin"solve(49);
  }
?>
<hr><a href=./?view_source=1>view-source</a>
</body>
</html>