源码：

<?php
        function replaceSpecialChar($strParam){
             $regex = "/(select|from|where|join|sleep|and|\s|union|,)/i";
             return preg_replace($regex,"",$strParam);
        }
        if(strlen($password)!=strlen(replaceSpecialChar($password))){
            die("sql inject error");
        }
        if($password==$_SESSION['password']){
            echo $flag;
        }else{
            echo "error";
        }
    ?>

得到flag的条件是 p a s s w o r d = = password== password==_SESSION[‘password’]

session中的password存储在本地

password由自己传参

将phpsession置空，password传个空气，使条件满足