On Security level - low : command 127.0.0.1; ls worked and showed this
But on medium security it didnt work. Even the command 127.0.0.1 && ls also didnt work so used only '&' to access the files i.e 127.0.0.1 & ls and could use other commands as cat.php like 127.0.0.1 & cat.php
Used command 127.0.0.1|ls i.e without space to bypass the checks
On low security used payload <script>alert(1)</script> to redirect but on medium and high security ,script keyword is replaced so can use payload <scr<script>ipt>("You are hacked")</script>
Can also use this -
Added this payload to the url <img%20src/onerror=alert("hacked")>
Inspected the page to change the value of any option to '1 or 1=1' (i.e. Always true condition) and got all the names.
First used payload <script>alert(1)</script> but didnt worked. Also capitalizing it <SCRIPT>alert(1)</SCRIPT> didn't work. So enterded the payload in name column but it had restriction to the lengh so changed it by inspecting.