Pokermax league, stopped working after php upgrade on webserver

General PHP Help
#1

I have upgraded websrver php and an ld site that was working fine now has errors, I am not understanding the errors but I think it needs to be re written to work, Failing at line 8 and 9 I have edited line 6 and that seems to work but I can’t figure out the others for the later code
these are the site error s I get
Warning: mysqli_query() expects parameter 1 to be mysqli, string given in /server address/pokeradmin/index.php on line 8

Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, null given in /server address/pokeradmin/index.php on line 9

the code in use is

[php]<?php
include “…/includes/config.php”;
$validationattempted = false;
if (isset($_POST[“op”]) && ($_POST[“op”]==“adminlogin”))
{
$connection = mysqli_connect($server, $DBusername, $DBpassword, $database) or die ("$DatabaseError");
$query = “SELECT * FROM $admin_table WHERE username=’”.$_POST[‘username’]."’ AND password=’".$_POST[‘password’]."’";
$result = mysqli_query($query);
if (mysqli_num_rows($result) >0 )
{
$validationattempted = true;
$validated = true; // assume validation passed
// If username and password are vaild set the cookie
setcookie (“ValidUserAdmin”, $_POST[‘username’],time()+36000); // expire in 1 hour

}
}

?>

PokerMax Poker League :: Keeping track of your poker tournamnets <meta http-equiv="[/php] <p>any help would be great<br> Tim</p>
#2
Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, null given in /server address/pokeradmin/index.php on line 9

Refers to you query failing and not returning a result set. Look into prepared statements to insulate your database.

#3

You let anybody be admin as long as they have a “ValidUserAdmin” cookie? What exactly prevents me from creating this cookie myself?

#4

Yes, both of those answers are correct and you should think about fixing both.

Just to get them working, you need to use the connection variable in all of your MySQLi functions…
So, mysql_query(something) would become mysqli_query($conn, something), etc…

Here is a nice place to start to learn more about the improved version of MySQL…
http://www.w3schools.com/php/php_ref_mysqli.asp

#5

After taking a closer look at the application (which another member found on GitHub), I urge you to remove this code from your server. This is pure malware which can be used to “steal” and manipulate your data, attack your users and, in the worst case, take over your entire server.

To give you just a brief overview of the vulnerabilities:

[ul][li]The queries are wide open to SQL injection attacks, which means anybody on the Internet can send arbitrary queries directly to your database system. This does not only affect your data. Depending on your configuration, it can be used to upload malicious code to your server.[/li]
[li]As I already pointed out, anybody can become an admin simply by creating a browser cookie. At the same time, admins have the ability to make database dumps and access even the most sensitive data (names, e-mail addresses, possibly password hashes etc.).
[/li]
[li]It’s also possible to directly attack your users through cross-site scripting.[/li]
[li]…[/li][/ul]

I understand this is bad news, and you probably hate to take your site offline. But it’s the only responsible thing to do. In fact, you should reinstall the whole server, because there’s a fairly big risk that the vulnerabilities have already been exploited. It’s very easy to do that with automated tools.

Look for reputable software which is actively maintained by a team of professional programmers. Don’t just use code you found somewhere on the Internet. A lot of it is crap written by well-meaning but dangerously incompetent amateurs.

Sponsor our Newsletter | Privacy Policy | Terms of Service