pvpgn-stats: Multiple SQL injection vulnerabilities, and mysql_* functions removed from PHP7

[reillychase]

I wouldn't recommend for anyone to host this utility in its current state.

• Current SQL handler classes do not filter database queries, allowing SQL injection vulnerabilities
• An attacker can obtain full access to PvPGN database including all emails, usernames, and passwords (easy to crack XSHA1)

In addition to the SQL injection vulnerabilities, the mysql_* database functions have been removed from PHP7 in favor of MySQLi and PDO, so it won't run on new OS installs, for example Debian 9.

Both issues can be fixed by updating the code to use PDO. I began working on a patch but didn't finish it yet, hopefully someone else who is more familiar with PHP can upgrade the util.

SQL Injection Vulnerable Parameters:

1. POST /ladder/stats.php?action=search HTTP/1.1

game=W2BN&type=team&user_search=[INJECT]&x=1&y=10

2. GET /ladder/stats.php?game=[INJECT]&type=[INJECT]&sortBy=username&sort_direction=[INJECT] HTTP/1.1

3. GET /ladder/stats.php?game=W2BN&type=1&user=[INJECT] HTTP/1.1

[KuroRaiken]

Is there an analogue of this monitoring?