HELP! SQL-Injection Atacked!

[mxyi]

hello all!

recently i found a person on my game called Major561 or somthing and i caught him with 2147m (max for normal int) wich would take frigin ages to get also he had 1.5b crystals.. i deleted them and banned him but how do i stop this from happening again?! also how do i ip ban people? thanks dudes also im the only one with access to the phpmyadmin no staff actions from it in the staff panel so it must be sql injection

[Dayo]

im not to big on hacking but any unsecure user input can be hacked to do this (all/most user input for mccodes) you will have to go throgh ALL your scripts and secure them

[rulerofzu]

All $_GET and $_POST should be secured. Remove any $_SERVER['PHP_SELF']

There is a lot of places it could be a problem. If you do not know what your doing there is recommended coders on here that will charge a fee to go through your scripts and sort it out.

[bladewolf2010]

KcMajor? XD he did it from the cmarket i'm going to guess

[Paddy]

Please note:

this is not a fix. it just helps you get the user auto jailed so if you are not online his / her money or crystals can not be stolen or used/transferred

 

use this till you get your site sorted out and secured then remove

add this code to your header

 

   	if($ir['money'] > 2700000000 OR $ir['crystals'] > 60000 AND $ir['userid'] != 1 AND $ir['userid'] != 2) {
	die("<table>
     	<td class='your class'> Under investigation!!!</td></table>


  	<font color='#ffffff'>You have over $2.700,000,000 in cash OR 60.000 in crystals, 
     	Your account is under investigation.Please mail Admin on [email][email protected][/email]</font>");
    	mysql_query("UPDATE users SET fedjail=1000 WHERE userid={$ir['userid']}"); 
}

[Jordan Palmer]

Paddy, You're ''help'' is wrong as you'd also need to insert into the fedjail log's. I'd also say You should sent some event to staff informing them off the Cheating person :]

[Dayo]

plus if i hacked would just re resister then set my money to 2699999999 ... bank it then do it again plus some games rely on large ammounts of money using bigint

but your way would help stop script kiddies, maby IP banning them would stop the re resestering or setting a session then checking for the session registration

[Paddy]

this is to be used for a day or 2 till site is fixed, so that you dont have to reset, ive seen games that had to reset cos the hacker giving users money - crystals or getting mugged, this usually happens when admin is fast asleep and no staff online so yes it is a good script to use to start with.

As stated in my first post

"use this till you get your site sorted out and secured then remove" so that will answer the bigint pointed out, it is not to be used as secured but as a temporary security

[Zero-Affect]

It's not a bad temp protection till sorting out.

[layto]

.

Does anyone have the sql injection so i can test my game to see? PM If you do thanks

[Dayo]

Does anyone have the sql injection so i can test my game to see? PM If you do thanks

LOL no 1 will send you an sql injection

you can ask people like eternal/crazy-t to test the site for you (just a few examples of people they may not actuly do it) but as i said no1 will send you the sql injection as you could be some newb who would go around hacking sites

[Dave]

Does anyone have the sql injection so i can test my game to see? PM If you do thanks

That's what they all say.. I'd remove your post before you get majorly flamed on. Everyone knows your motive and why you wan't the code.

Edit: DAMN YOU DAYO D:

[Haunted Dawg]

Does anyone have the sql injection so i can test my game to see? PM If you do thanks

Everyone knows your motive and why you wan't the code.

Not everyone want's the SQL Injection for that purpose!

[Dayo]

but 905 of people do, like i said just get some one to do it for you that way there are a not as many people who know how to do it

[Dominion]

no ones going to help you on here, however google it and there not hard to find.