php – 如何演示二阶SQL注入？

insert.php

<?php

$db_selected = mysql_select_db('canada',$conn);
if (!db_selected)
    die("can't use mysql: ". mysql_error());

$sql_statement = "INSERT into canada (UserID,FirstName,LastName,Age,State,Town)
                    values ('".mysql_real_escape_string($_REQUEST["UserID"])."','".mysql_real_escape_string($_REQUEST["FirstName"])."','".mysql_real_escape_string($_REQUEST["LastName"])."',".intval($_REQUEST["Age"]).",'".mysql_real_escape_string($_REQUEST["State"])."','".mysql_real_escape_string($_REQUEST["Town"])."')";

echo "You ran the sql query=".$sql_statement."<br/>";
$qry = mysql_query($sql_statement,$conn) || die (mysql_error());
mysql_close($conn);
Echo "Data inserted successfully";
}
?>

select.php

<?php


$db_selected = mysql_select_db('canada',$conn);
if(!db_selected)
    die('Can't use mysql:' . mysql_error());
$sql = "SELECT * FROM canada WHERE UserID='".addslashes($_POST["UserID"])."'";
echo "You ran the sql query=".$sql."<br/>";
$result = mysql_query($sql,$conn);
$row=mysql_fetch_row($result);

$sql1 = "SELECT * FROM canada WHERE FirstName = '".$row[1]."'";
echo "The web application ran the sql query internally=" .$sql1. "<br/>";
$result1 = mysql_query($sql1,$conn);
$row1 = mysql_fetch_row($result1);

mysql_close($conn);
echo "<br><b><center>Database Output</center></b><br><br>";

echo "<br>$row1[1] $row1[2],you are a voter! <br>";

echo "<b>VoterID: $row[0]</b><br>First Name: $row[1]<br>Last Name: $row[2]
    <br>Age: $row[3]<br>Town: $row[4]<br>State: $row[5]<br><hr><br>";
}
?>

因此,我故意使这个易受攻击,以显示二阶SQL注入如何工作,用户可以在第一个名称部分输入代码(我目前卡住的地方,我尝试了很多不同的方式,但似乎我无法得到它可以做任何事情).
然后当一个人想要激活他在第一个名字部分中插入的代码时,他只需输入用户ID并插入代码即可.

例如：
我将在insert.php页面中输入：
userid = 17

firstname =(我需要在这里注入一些东西)

lastname = ..

年龄= ..

镇= ..

州= ..

然后,当我检查我的详细信息并输入17时,将激活注入的SQL脚本.
我可以举几个例子来说明我可以通过这种方式展示哪种漏洞？