3rd party script suddenly failed

[marksalehouse]

Hi folks,
I never knew I was on this Forum until I tried to join. I have never used it before so go gently with me please.
 
I got a guy to move my site from flat HTML to partial PHP/DB many years ago. I would go to an Admin control panel to let me enter details and upload an image - delete/edit. This function suddenly stopped recently and now the search fails with a useless, non informative error. I also notice that when I log in to the ACP it just comes back with another login screen and lets me through when I complete this one. Strange that it now asks twice. It now comes up with this error (and nothing noted via the site's Cpanel). The id/password was hard coded into the admin logon script and I made sure the DB password is the same within MySql via the Cpanel.
 

There has been a fatal error. Apologies for any inconvenience.

 
The website is about 17 years old now - XHTML 1.0 and PHP - but has had a partial make-over to let it run on other options (phones etc.). The coding is split into various sections (I have no idea why - insert/delete/edit etc). I need to get the site back up again, although the flat HTML still works a treat. An example is below:
 
I am not good at PHP so I really need an idiot's guide.
 
If anyone has any idea do let me know please.
 
Thanks,
 
Mark

<?php
session_start();
if($_SESSION['admin_login'] != 'loggedin'){
header("Location: http://www.example.com/admin/login");
}
require('../../classes/class.php');
$fullurl = 'http://www.example.com/';


$page = new example;
$page->db_connect();




if($_POST['submitform'] == 'Add Listing'){
$results = array();
foreach($_POST as $key => $value){
$results[$key] = $value;
}
$message = '';
if(mysqli_query("INSERT INTO `premises` (`area`,`type`,`name`,`address`,`address2`,`town`,`postcode`,`telephone`,`website`,`email`,`text`)  VALUES ('$results[area]','$results[type]','$results[name]','$results[address]','$results[address2]','$results[town]','$results[postcode]','$results[telephone]','$results[website]','$results[email]','$results[text]')")){
$message = 'Thank you, this listing has been added';
} else {
$message = 'Sorry, this listing could not be added. Please try again or contact your administrator';
}


$rs = mysqli_fetch_assoc(mysqli_query("SELECT `id` FROM `premises` WHERE `area`='$results[area]' AND `name`='$results[name]' AND `text`='$results[text]'"));
  if(!empty($_FILES['image']['name'])){


$imagename = str_replace(" ", "_" , $_FILES['image']['name']); // get image name


//if($_FILES['image']['type'] == 'image/jpeg'){ // if extension is allowed, continue, otherwise dont upload
//alert("hi");


$newname = date("YmdHis").$imagename;
$source = $_FILES['image']['tmp_name']; // source location
$target = "../../images/uploads/".$newname; // new location
move_uploaded_file($source, $target);


mysqli_query("INSERT INTO `images` (`parent` , `name`) VALUES ('$rs[id]' , '$newname')");


//}


}


}
$counties_nav = $page->multi_result("SELECT * FROM `settings` WHERE `name`='county' ORDER BY `value` ASC");
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta name="author" content="The ... (C)2004-17">
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<meta name="description" content="" />
<meta name="keywords" content="" />
<link rel="stylesheet" type="text/css" href="<?=$fullurl;?>css/style3.css" media="screen" />
<title>...</title>
</head>
<body>
<div id="header">
<h1>...</h1>
<h2>Personally Recommended Pubs, Restaurants & Places To Visit Around Northern Ireland</h2>
</div>


<div id="navbar">
<div id="navlinks">
<ul> 
    <li><a href="../../index.php">Home</a></li> 
</ul>
</div>
</div>


<div id="container">
  <div id="leftcontainer">
  </div>
<div id="content">
<?php
echo '<h2>Delete Listing - <span style="font-size: 70%;"><a href=http://www.example.com/admin/premises/>Back to Premises</a></span></h2>';


if(!empty($message)){
echo '<p style="margin: 0px 0px 5px 0px; padding: 0; color: #F00;">  '.$message.'.</p>';
}
?>
<div style="margin-left: 155px;">
<form action="<?=$_SERVER['PHP_SELF'];?>" method="post" enctype="multipart/form-data">
<table cellspacing="0" cellpadding="0" border="0" style="font-size: 90%;">
<tr>
<td style="width: 150px; margin: 0px 0px 2px 0px; padding: 0;"></td>
<td style="width: 350px;"><input type="hidden" name="id" value="1" style="margin: 0px 0px 2px 0px; padding: 0;" /></td>
</tr>
<tr>
<td style="width: 150px; margin: 0px 0px 2px 0px; padding: 0;"><b>Area</b>:</td>
<td style="width: 350px;">
<select name="area" style="margin: 0px 0px 2px 0px; padding: 0;">
<option value="Belfast+North">Belfast North</option>
<option value="Belfast+South">Belfast South</option>
<option value="County+Antrim">County Antrim</option>
<option value="County+Armagh">County Armagh</option>
<option value="County+Down">County Down</option>
<option value="County+Fermanagh">County Fermanagh</option>
<option value="County+Londonderry">County Londonderry</option>
<option value="County+Tyrone">County Tyrone</option>
<option value="Dumfries+&+Galloway">Dumfries & Galloway</option>
</select>
</td>
</tr>
<tr>
<td style="width: 150px; margin: 0px 0px 2px 0px; padding: 0;"><b>Type</b>:</td>
<td style="width: 350px;">
<select name="type" style="margin: 0px 0px 2px 0px; padding: 0;">
<option>Pub</option>
<option>Restaurant</option>
<option>Place to visit</option>
</select>
</td>
</tr>
<tr>
<td style="width: 150px; margin: 0px 0px 2px 0px; padding: 0;"><b>Name</b>:</td>
<td style="width: 350px;"><input type="text" name="name" style="margin: 0px 0px 2px 0px; padding: 0;" /></td>
</tr>
<tr>
<td style="width: 150px; margin: 0px 0px 2px 0px; padding: 0;"><b>Address</b>:</td>
<td style="width: 350px;"><input type="text" name="address" style="margin: 0px 0px 2px 0px; padding: 0;" /></td>
</tr>
        <tr>
<td style="width: 150px; margin: 0px 0px 2px 0px; padding: 0;"><b>Address2</b>:</td>
<td style="width: 350px;"><input type="text" name="address2" style="margin: 0px 0px 2px 0px; padding: 0;" /></td>
</tr>
        <tr>
<td style="width: 150px; margin: 0px 0px 2px 0px; padding: 0;"><b>Town</b>:</td>
<td style="width: 350px;"><input type="text" name="town" style="margin: 0px 0px 2px 0px; padding: 0;" /></td>
</tr>
        <tr>
<td style="width: 150px; margin: 0px 0px 2px 0px; padding: 0;"><b>Postcode</b>:</td>
<td style="width: 350px;"><input type="text" name="postcode" style="margin: 0px 0px 2px 0px; padding: 0;" /></td>
</tr>
<tr>
<td style="width: 150px; margin: 0px 0px 2px 0px; padding: 0;"><b>Telephone</b>:</td>
<td style="width: 350px;"><input type="text" name="telephone" style="margin: 0px 0px 2px 0px; padding: 0;" /></td>
</tr>
<tr>
<td style="width: 150px; margin: 0px 0px 2px 0px; padding: 0;"><b>Website</b>:</td>
<td style="width: 350px;"><input type="text" name="website" style="margin: 0px 0px 2px 0px; padding: 0;" /></td>
</tr>
<tr>
<td style="width: 150px; margin: 0px 0px 2px 0px; padding: 0;"><b>Email</b>:</td>
<td style="width: 350px;"><input type="text" name="email" style="margin: 0px 0px 2px 0px; padding: 0;" /></td>
</tr>
<tr>
<td style="width: 150px; margin: 0px 0px 2px 0px; padding: 0; vertical-align: text-top;"><b>Text</b>:</td>
<td style="width: 350px;"><textarea cols="50" name="text" rows="8" style="margin: 0px 0px 2px 0px; padding: 0;"></textarea></td>
</tr>
<tr>
<td style="width: 150px; margin: 0px 0px 2px 0px; padding: 0;"><b>Image</b>:</td>
<td style="width: 350px;"><input type="file" name="image" /></td>
</tr>
<tr>
<td style="width: 150px; margin: 0px 0px 2px 0px; padding: 0;"> </td>
<td style="width: 350px;"><input type="submit" name="submitform" value="Add Listing" /></td>
</tr>
</table>


</form>
</div>
<div style="clear: both;"></div>


</div>


</div>
</body>
</html>

Edited January 9, 2018 by gizmola
redacting site name, other info

[Barand]

There is more to switching from mysql_* functions to mysqli_* functions than just changing the spelling.

 

mysqli_query() parameters are not the same - check the manual

[marksalehouse]

Thanks but this was written by a third party and I do not have the skills let alone a manual and know nothing about mysqli nor why it should be switched.

[requinix]

Be wary of posting site URLs with code: sometimes code is unsafe and can be abused by a malicious user who discovers it. I've removed the domain name but it's only a small speedbump to a motivated attacker.

 

Please stop what you're doing and change your code from

if($_SESSION['admin_login'] != 'loggedin'){
header("Location: http://www.example.com/admin/login");
}

to

if($_SESSION['admin_login'] != 'loggedin'){
header("Location: http://www.example.com/admin/login");
exit;
}

Credit to the user who identified the problem and reported the post.

[marksalehouse]

Thanks for that. I thought I had amended some of the details before copying.

 

I tried your suggestion but no effect.

[requinix]

What I said is unrelated to what you originally posted about: it's to fix a significant vulnerability in your code.

 

For your problem you need to listen to what Barand said. The mysql and mysqli functions are similar but not the same and you cannot just add an 'i'. Check the documentation for the various functions to see how they should be used. If you have specific questions from there then we can help with that.

[marksalehouse]

Thanks. I did change the code.

 

The rest of it is meaningless to me as I did not write the code and have no idea about it.

 

Thanks anyway.

[marksalehouse]

As I have got no further can you please just close this thread?

 

Thanks.