Level 13 $db->exec('CREATE TABLE users ( user_id INTEGER PRIMARY KEY, user_name TEXT NOT NULL, user_privileges INTEGER NOT NULL, user_password TEXT NOT NULL )'); ...

Level 11 function sanitize($id, $table) { if (! is_numeric ($id) or $id < 2) { exit("The id must be numeric, and superior to one."); } $special1 = ["!", "\"", "#", "$", ...

Level 10 if (isset ($_REQUEST['f']) && isset ($_REQUEST['hash'])) { $file = $_REQUEST['f']; $request = $_REQUEST['hash']; // default: substr(md5($flag.'index.php'.$flag),0,8) -&...

Level 8 $uploadedFile = sprintf('%1$s/%2$s', '/uploads', sha1($_FILES['fileToUpload']['name']) . '.gif'); if (file_exists ($uploadedFile)) { unlink ($uploadedFile); } if ($_FILES['fileToUploa...

scandir() scandir ( string $directory ) : array ## ex) websec level 8 print_r(scandir('/')); Array ( [0] => . [1] => .. [2] => flag.txt [3] => index.php [4] =&...

Level 2 ini_set('display_errors', 'on'); class LevelTwo { public function doQuery($injection) { $pdo = new SQLite3('leveltwo.db', SQLITE3_OPEN_READONLY); $searchWords = im...

Level 28 <?php if(isset($_POST['submit'])) { if ($_FILES['flag_file']['size'] > 4096) { die('Your file is too heavy.'); } $filename = './tmp/' . md5($_SERVER['REMOTE_ADDR']) . ...

Level 25 parse_str(parse_url($_SERVER['REQUEST_URI'])['query'], $query); foreach ($query as $k => $v) { if (stripos($v, 'flag') !== false) die('You are not allowed to get the fla...

Level 17 include "flag.php"; function sleep_rand() { /* I wish php5 had random_int() */ $range = 100000; $bytes = (int) (log($range, 2) / 8) + 1; do { /* Side effect: ...

Level 4 $sql = new SQL(); $sql->query = 'SELECT username FROM users WHERE id='; if (isset ($_COOKIE['leet_hax0r'])) { $sess_data = unserialize (base64_decode ($_COOKIE['leet_hax0r'])); ...