Hacker found that original form submitted to<br>
http://webdev.iyaclasses.com/~dent/demos/security_formsample.php
<br>
and so wrote a LOCAL form on
their computer/server that submits directly to above.
They would not actually need to build the form, but a hacking program could
generate a form submission and post it directly there. But
to give you an example of what they could do...

<form enctype="multipart/form-data" method="post"
    action="http://webdev.iyaclasses.com/~dent/demos/security_formsample.php">
Try to submit virus to php: <input type="file" name="hack.exe">
    <input type="hidden" value="hack data" name="secret field">
    <br>
    Username: <input type="text" name="username" value="sss"><br>
    Password: <input type="text" name="password" value="zzz';DROP USERS;"><br>
    <input type="submit" value=HACK!">
</form>