Jump to content
MakeWebGames

SQL Injections?

Syed

By Syed
in General

 Share

Recommended Posts

Syed Newbie

Syed

Posted
Posted

I was wondering if anyone new any SQL injections that would work on these textbased games, that have used the LDC, GC , AGL scripts? PM me if you know any way, so that I can test on my site so that I can have a go at fixing them, so I can learn how to patch SQl Injections :D

All Help Will Be Much Appreciated

Syed Newbie

Syed

Posted
  • Author
Posted
I fully understand what you mean -- you don't want to research yourself and have the info handed to you.

Wrong place. Do some leg work, show us what you have got and we may just get somewhere.

Give a man a fish and all that shiz.

No., I am not asking to be given all the information. I am asking for help, Im a newbie, im 17 years old. I want to learn more about this stuff from the proffesionals, so that when I gain more knowledge of this sort of stuff, I can help others out.

Guest

Guest

Posted
Posted
No., I am not asking to be given all the information. I am asking for help, Im a newbie, im 17 years old. I want to learn more about this stuff from the proffesionals, so that when I gain more knowledge of this sort of stuff, I can help others out.

Age doesn't matter, on the topic, mysql_real_escape_string should sort out injections.

Syed Newbie

Syed

Posted
  • Author
Posted

I just wanna know how to delete tables from the db through the site change data etc. Ive sorted the one on forum and edit profile.. do you know of any others

Octet Newbie

Octet

Posted
Posted

The best way to check if your site is vulnerable is to use the Firefox add on 'SQL Inject ME' which scans for common problems, from then on you can research each problem individually and resolve it yourself.

Octet Newbie

Octet

Posted
Posted (edited)
Don't lull yourself into a false sense of security with add-ons for anything if you don't understand the underlying cause.

Start to trust 3rd parties and you may as well just start to trust 3rd party input too (The user)

I agree, but once you have done the best you can using your own knowledge on how SQL works then you can use that tool to verify that you have made it as water tight as you possibly can. Admittedly tools like that may not be accurate or may not cover everything but it can offer some reassurance.

Edited by Octet
Spudinski Newbie

Spudinski

Posted
Posted
I agree, but by using tools like that then you can at least begin to see where your problems are. Admittedly they aren't always going to be accurate but it is a start.

Let me guess, you're that type of person who does this:

1. Sees a cool app.

1. Clicks *install*.

Am I right?

Meanwhile, this is what the app does:

1. Sees an illiterate.

2. Copies all browser data.

3. Looks for for stuff, like cookies.

4. Attempts to download additional 3rd party apps.

5. Each third party app then begins the cycle over at step 1, and adds their own step onto the list.

You probably won't see the problem, since a hacker is probably already so deep into your sh*t that they're screening all the data between your GPU and other peripherals.

Octet Newbie

Octet

Posted
Posted
Let me guess, you're that type of person who does this:

1. Sees a cool app.

1. Clicks *install*.

Am I right?

Meanwhile, this is what the app does:

1. Sees an illiterate.

2. Copies all browser data.

3. Looks for for stuff, like cookies.

4. Attempts to download additional 3rd party apps.

5. Each third party app then begins the cycle over at step 1, and adds their own step onto the list.

You probably won't see the problem, since a hacker is probably already so deep into your sh*t that they're screening all the data between your GPU and other peripherals.

No, you are entirely wrong. It is the only app I have for Firefox, I take security extremely seriously but what I am saying is applications like this can be useful to check afterwards. I stated in my first post that it isn't going to be entirely accurate and shouldn't be used solely but it is good to check for common problems.

 

I agree with him

Who do you agree with? Me or Spudinski?

Syed Newbie

Syed

Posted
  • Author
Posted
No, you are entirely wrong. It is the only app I have for Firefox, I take security extremely seriously but what I am saying is applications like this can be useful to check afterwards. I stated in my first post that it isn't going to be entirely accurate and shouldn't be used solely but it is good to check for common problems.

 

Who do you agree with? Me or Spudinski?

Both of you :p

Octet Newbie

Octet

Posted
Posted (edited)

Let's think about this sensibly, companies use security audit tools all the time, you cannot suggest that some poor server admin goes along and checks through the server and the entire website e.t.c. for security vulnerabilities? Yes, they must have an understanding how it works but the responsibility is too huge for them to do it by hand, and no company would trust a single person (or team of people) to do it because of the potential loss.

They would use a security audit tool, and yes it won't be a free one which you can download as an add on but the principal is still the same.

SQL Inject ME runs a couple of hundred checks which returns thousands of results... imagine doing that by hand...

Understand your security but don't expect to notice every problem by eye.

Edited by Octet
lucky3809 Newbie

lucky3809

Posted
Posted

No one will give you the codes to sql injection, unless you pay them to do so. And there are very few on here that knows of them...

Have you though searched google "sql injection examples" ??? You may find a few things about them on there. And for the one that said mres will secure it, think again mres is used for alpha fields not for numeric so it is not really securing everything in a script...

a_bertrand Newbie

a_bertrand

Posted
Posted

You could use it even for numeric and mysql will then transform it in number back. Yet the real solution IMO is called mysqli even if the default lib offered is not really user friendly.

Spudinski Newbie

Spudinski

Posted
Posted
The goals may have moved slightly, but the aim is still somewhat the same.

Besides, this kid knows nothing of the subject, so old stuff is a good start.

Chris Shiflett - http://shiflett.org/articles - also have some articles.

Would I use them myself? Nope, I'd look up very specific answers, if needed.

True, but in today's world of online w/e, there's only one thing to prevent SQL Injections.

Validate input, don't convert or strip it!

 

E.g.: preg_match('[a-z0-9]', $x) - if it doesn't validate, don't execute it.

It's damn simple, and yet it's always overlooked.

newttster Enthusiast

newttster

Posted
Posted
True, but in today's world of online w/e, there's only one thing to prevent SQL Injections.

Validate input, don't convert or strip it!

 

E.g.: preg_match('[a-z0-9]', $x) - if it doesn't validate, don't execute it.

It's damn simple, and yet it's always overlooked.

This one always gets me ... I'm trying to understand how this works.

In your example ... only numbers and letters would match or it would return false. If it is true then it is placed into the variable $X.

So if I typed in daviD3, it's true then $X=daviD3.

But if I typed in daviD_3, it's false because an underscore was not part of the matching criteria therefore you would get an error message because of this and $X would not contain anything.

Am I understanding how this works ... or is that wrong?

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...