sqli challenge

1. <?php
2. $link = mysql_connect('localhost', 'root', '');
3.  
4. if (!$link) {
5.     die('Could not connect: ' . mysql_error());
6. }
7.  
8. if (!mysql_select_db('test')) {
9.     die('Could not select database: ' . mysql_error());
10. }
11.  
12. var_dump($_REQUEST);
13. $safe = True;
14.  
15. if (isset($_GET['id'])) {
16.     # If id is not numeric than it probably isn't safe.
17.   if (!is_numeric($_GET['id'])) {
18.         $safe = False;
19.     }
20.    
21.     # Test the value of id with a "safe" query to determine if SQLi or not.
22.   $query = mysql_query("SELECT 1 FROM users WHERE 1=" . $_GET['id']);
23.    
24.     # If query doesn't run than there is most likely no risk of SQLi.
25.   if (!$query)
26.         $safe = True;
27.    
28.     # Value of id is not safe, possible SQLi.
29.   if (!$safe)
30.         die("SQL INJECTION DETECTED");
31.    
32.         # Our "safe" query did not execute, should be safe to run on real query.
33.   $query = mysql_query("SELECT username FROM users WHERE id=" . $_GET['id']);
34.  
35.     if (!$query) {
36.         die('Could not query:' . mysql_error());
37.     }
38.    
39.     echo '<pre>';
40.     print_r(mysql_fetch_row($query));
41.     echo '</pre>';
42. } else
43.     echo "Did not find a value for id.";
44.  
45. ?>