<?php
//This is where the vulnerable is.
$data = $_GET['user'];
// where it displays the vulnerable.
echo $data;
?>
<!DOCTYPE html>
<head>
<title>Submit</title>
</head>
<body>
<form method = "get">
User: <input type="text" name="user" /><br />
<input type="button" value ="submit" />
</form>
</body>
</html>