index.php

<!DOCTYPE html>
<html>
<head>
	<title>test sql injection</title>
</head>
<body>

	<form action="index.php" method="get">
		
		User Name : 
		<input type="text" name="un">

		Password :
		<input type="text" name="pw">

		<input type="submit" value="Submit">

	</form>





	<?php

	$servername = "localhost";
	$username = "root";
	$password = "";
	$dbname = "testsql";

	@$user_name=$_GET['un'];//variable for get username from html form
	@$pass_word=$_GET['pw'];//variable for get password from html form


	// Create connection
	$conn = mysqli_connect($servername, $username, $password, $dbname);
	// Check connection
	if (!$conn) {
		die("Connection failed: " . mysqli_connect_error());
	}

	//query to check username and password
	$sql = "SELECT * FROM testtable WHERE user='$user_name' AND pass='$pass_word'";



	if (mysqli_query($conn, $sql)) {

			//checking username and password
		$un_and_pass_check=mysqli_query($conn, $sql);

	  		//if there is a match it will return 1
		$check=mysqli_num_rows($un_and_pass_check);
		
	   		//if there is a match display login ok
		echo "<br><br><br>";

		if ($check) {
			echo "login ok";
		}
	   		//user name and password do not match display error
		else{
			echo "username and password error";
		}

	}
	else {
		echo "Error: " . $sql . "<br>" . mysqli_error($conn);
	}
	
	

	echo "<br><br><br><br>";


	//preview mysql query for better analysis
	echo "<b>preview mysql query</b> <br><br>";
	echo $sql;

	mysqli_close($conn);
	?>

</body>
</html>