Shot customer piikee bidding website system injection vulnerability and repair

Because there is no manufacturer, write a bidding system and send it to the webmaster who uses the system for waking up.
 
The name of the system is piikee.
Why 2B? The parameter values of all files in the foreground are as follows:
News_arc.php
 
<? Php
Define ('in _ JP ', true );
Require_once ("./config/init. php ");
 
$ Arcid = $ _ REQUEST ["arcid"];
If ($ arcid! = ""){
$ Qrynews2 = "select * from news where id =". $ arcid;
$ Objnews2 = $ GLOBALS ['db']-> get_one ($ qrynews2 );
} Else {
$ Objnews2 = "";
} Www.2cto.com
 
$ Qrycount = "select w. id, r. username, w. won_date, p. name,. auc_final_price,. auctionID, p. picture1, p. price, (100-100 *. auc_final_price/p. price) as discount,. auctionID from won_auctions w left join auction a on w. auction_id =. auctionID left join products p on. productID = p. productID inner join registration r on w. userid = r. id where w. userid> = 0 order by w. won_date desc limit 0, 7 ";
$ Obj1 = $ GLOBALS ['db']-> select ($ qrycount );
 
$ Smarty-> assign ("obj1", $ obj1 );
$ Smarty-> assign ("objnews2", $ objnews2 );
$ Smarty-> display('news_arc.htm ');
?>
 
It is estimated that programmers will rush home to give birth to children, so they can join in writing.
Proof of vulnerability: Because the Database Password is stored in plain text, this saves the trouble of cracking. You can view it in siteadmin/addadminmember. php.
What should I do with shell?
Check the host. If iis6 or Apache is used, upload the number file and % in the advertising management office.
Solution:
 
This program must be rewritten...
 
Author piaoye