I am learning about SQL injection following these walkthrough. The address bar looks like this:
https://redtiger.labs.overthewire.org/level3.php?usr=MDQyMjExMDE0MTgyMTQ
The first step is to generate an error by changing the value of this variable:
https://redtiger.labs.overthewire.org//hackit/level3.php?usr\[\]=
I am not experienced in web programming, but I know how to send form values in address line. However, the page source does not contain usr variable. What is this?
The actual URL requested is available in $_SERVER['REQUEST_URI']
Querystring parameters will be found in $_GET ... in this case, look at $_GET['usr']
These values would typically be produced as a result of a form submission. Look for input elements on the page with the name attribute of usr or multiple elements with the name usr[] in the second case. That would allow multiple entries to end up in an array server-side.