sendMessage, massmessage and sysmessage are POSTed to directly, bypassing
admin.php's central csrf_verify(). Add csrf_verify() (after the admin access
check, via the shared GameEngine/Admin/csrf.php) and csrf_field() in their
forms (Newmessage.tpl, massmessage.tpl, sysmessage.tpl; the mass/sys templates
have both a prepare and an execute form).
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Some installations seem to support localhost:port for 1st parameter of
mysqli_connect(), others will only support the official parameters with
port towards the end. This fix tries them both - first the official one,
then the localhost:port one.
Also, there were a lot of mysqli_connect()'s inside Admin mods. These
now also use the central Database class.
Ferywir