Jump to content
MakeWebGames

Securing.

Renkia

By Renkia
in General Discussion

 Share

Recommended Posts

Joshua Newbie

Joshua

Posted
Posted

A snippet of a functional working query on a demo site

 

$db->query("UPDATE `myplayers` SET `exp`=`exp`+%%u%%,`cash`=`cash`+%%u%% WHERE `userid`=%%d%%", $expgain, $stole, $userid);
$db->query("UPDATE `myplayers` SET `hp`=1,`cash`=`cash`-%%d%%,`hospital`=%%u%%,`hospreason`='Mugged by <a href=\'viewuser.php?u=".number_Format($userid)."\'>".strip_tags($ir['username'])."</a>, ' WHERE `userid`=%%u%%", $stole, $hosptime, $r['userid']);
  • Replies 54
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Zero-Affect Newbie

Zero-Affect

Posted
Posted
Fatal error: Call to a member function query() on a non-object

query was:

[mysql]

UPDATE `godzilla` SET `column` = `column` + %%u%% WHERE `user` = %%d%%", 1, 1

[/mysql]

FAIL^

What version of MySQL are you running maybe it's unique to your version.

Joshua Newbie

Joshua

Posted
Posted

Not the latest version but close

MySQL version 5.0.89

Edit X's 2.

Normally yes, ' ' is just for strings, obviously. However, it failed for me until i added ' ' around the % as well.

----

Alan, You've destroyed countless games and you're not even an adult yet. God forbid when you can be held legally liable for the idiocy you provide to the general public. Wish I could be there.

CrazyT Newbie

CrazyT

Posted
Posted
Yes, you've been hacking and manipulating people the longest out of anyone, congratulations!

If it didnt work, then why is it working on my queries?

LMFAO! hacked? No - Exploiting kinda. :-D

Ermm, stop that a long time ago, and oh please don't try say you haven't because we all know you have.

Working on your queries, yes you've probably added, sprintf, or vsprintf, in the MC CODE DB CLASS. && Read back to my post, n00b! :D

CrazyT Newbie

CrazyT

Posted
Posted
Focus more on studying than hacking maybe you could get it to work, I did, go figure that one?

No need, know more than you ^_^

Hacking No, Exploiting = Old.

So go back to php.net no WAIT you only can learn from other peoples coding? ^_^ MCCODES = failire = you ;]

Zeggy Newbie

Zeggy

Posted
Posted
I think as long as the output is secure you're fine...In some eye's I'll be wrong in my own I'm correct

Securing output protects from XSS. Securing input protects from SQL injections.

 

 

er file page you know what i meant.

[..] I dont wanna hear it from you, you didnt know that %u / %s %d do not NEED sprintf to operate ^_^ [/..]

As far as I am aware, that particular syntax is specific to the printf family of functions, unlike in python... If I'm wrong, where can you use this kind of string formatting?

 

So are you going to use your "new found" way or stick to the longer but most understanding way, Bet most people never even knew SprintF was a filter (notice the F in sprintF, printF, vsprintF).

The F stands for formatting, not filter ;)

 

A snippet of a functional working query on a demo site

 

$db->query("UPDATE `myplayers` SET `exp`=`exp`+%%u%%,`cash`=`cash`+%%u%% WHERE `userid`=%%d%%", $expgain, $stole, $userid);
$db->query("UPDATE `myplayers` SET `hp`=1,`cash`=`cash`-%%d%%,`hospital`=%%u%%,`hospreason`='Mugged by <a href=\'viewuser.php?u=".number_Format($userid)."\'>".strip_tags($ir['username'])."</a>, ' WHERE `userid`=%%u%%", $stole, $hosptime, $r['userid']);
If I'm correct, then that's just the way your $db->query function is written. I don't think this is actual mysql OR php syntax. If it were PHP, then it would be documented in the mysql_query function. If this were mysql, then you'd be able to execute this in say, phpmyadmin.

mysqli has some string formatting and variable binding functions, but I don't think you're using mysqli.

Joshua Newbie

Joshua

Posted
Posted
^_^ MCCODES = failire = you ;]

I'm hurt, a child called me a failure.

 

Learn from other peoples codes? Why not? Everyday you learn from everyone else as well as php manual. It's called education, me thinks you should seek it out.

Zero-Affect Newbie

Zero-Affect

Posted
Posted
The F stands for formatting, not filter ;)

There is a difference in what they do?

My bad format not filter but i prefer filter gives more insight into the action.

LazyT & Bug stop acting like kids seriously "my dads bigger than yours" don't make me hit you both with a php manual and send you to bed with no supper (calm down it's only a commercial).

Guest cablebox

Guest cablebox

Posted
Posted

Looks great! Great job for learning. Some bits that does not look right, but it is still good. Keep up the good work!

Djkanna Apprentice

Djkanna

Posted
Posted

Well done OP :)

as for teh formatting remarks confused the toodles out of me :P

But if I think I'm right if you wrap in quotes and don't sprintf() by my logic it will input %%u% ImmortalThug :)

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...