Jump to content
MakeWebGames

SQL Injections?


Syed

Recommended Posts

I was wondering if anyone new any SQL injections that would work on these textbased games, that have used the LDC, GC , AGL scripts? PM me if you know any way, so that I can test on my site so that I can have a go at fixing them, so I can learn how to patch SQl Injections :D

All Help Will Be Much Appreciated

Link to comment
Share on other sites

I fully understand what you mean -- you don't want to research yourself and have the info handed to you.

Wrong place. Do some leg work, show us what you have got and we may just get somewhere.

Give a man a fish and all that shiz.

No., I am not asking to be given all the information. I am asking for help, Im a newbie, im 17 years old. I want to learn more about this stuff from the proffesionals, so that when I gain more knowledge of this sort of stuff, I can help others out.

Link to comment
Share on other sites

No., I am not asking to be given all the information. I am asking for help, Im a newbie, im 17 years old. I want to learn more about this stuff from the proffesionals, so that when I gain more knowledge of this sort of stuff, I can help others out.

Age doesn't matter, on the topic, mysql_real_escape_string should sort out injections.

Link to comment
Share on other sites

Don't lull yourself into a false sense of security with add-ons for anything if you don't understand the underlying cause.

Start to trust 3rd parties and you may as well just start to trust 3rd party input too (The user)

I agree, but once you have done the best you can using your own knowledge on how SQL works then you can use that tool to verify that you have made it as water tight as you possibly can. Admittedly tools like that may not be accurate or may not cover everything but it can offer some reassurance.

Edited by Octet
Link to comment
Share on other sites

I agree, but by using tools like that then you can at least begin to see where your problems are. Admittedly they aren't always going to be accurate but it is a start.

Let me guess, you're that type of person who does this:

1. Sees a cool app.

1. Clicks *install*.

Am I right?

Meanwhile, this is what the app does:

1. Sees an illiterate.

2. Copies all browser data.

3. Looks for for stuff, like cookies.

4. Attempts to download additional 3rd party apps.

5. Each third party app then begins the cycle over at step 1, and adds their own step onto the list.

You probably won't see the problem, since a hacker is probably already so deep into your sh*t that they're screening all the data between your GPU and other peripherals.

Link to comment
Share on other sites

Let me guess, you're that type of person who does this:

1. Sees a cool app.

1. Clicks *install*.

Am I right?

Meanwhile, this is what the app does:

1. Sees an illiterate.

2. Copies all browser data.

3. Looks for for stuff, like cookies.

4. Attempts to download additional 3rd party apps.

5. Each third party app then begins the cycle over at step 1, and adds their own step onto the list.

You probably won't see the problem, since a hacker is probably already so deep into your sh*t that they're screening all the data between your GPU and other peripherals.

No, you are entirely wrong. It is the only app I have for Firefox, I take security extremely seriously but what I am saying is applications like this can be useful to check afterwards. I stated in my first post that it isn't going to be entirely accurate and shouldn't be used solely but it is good to check for common problems.

 

I agree with him

Who do you agree with? Me or Spudinski?

Link to comment
Share on other sites

No, you are entirely wrong. It is the only app I have for Firefox, I take security extremely seriously but what I am saying is applications like this can be useful to check afterwards. I stated in my first post that it isn't going to be entirely accurate and shouldn't be used solely but it is good to check for common problems.

 

Who do you agree with? Me or Spudinski?

Both of you :p

Link to comment
Share on other sites

Let's think about this sensibly, companies use security audit tools all the time, you cannot suggest that some poor server admin goes along and checks through the server and the entire website e.t.c. for security vulnerabilities? Yes, they must have an understanding how it works but the responsibility is too huge for them to do it by hand, and no company would trust a single person (or team of people) to do it because of the potential loss.

They would use a security audit tool, and yes it won't be a free one which you can download as an add on but the principal is still the same.

SQL Inject ME runs a couple of hundred checks which returns thousands of results... imagine doing that by hand...

Understand your security but don't expect to notice every problem by eye.

Edited by Octet
Link to comment
Share on other sites

No one will give you the codes to sql injection, unless you pay them to do so. And there are very few on here that knows of them...

Have you though searched google "sql injection examples" ??? You may find a few things about them on there. And for the one that said mres will secure it, think again mres is used for alpha fields not for numeric so it is not really securing everything in a script...

Link to comment
Share on other sites

The goals may have moved slightly, but the aim is still somewhat the same.

Besides, this kid knows nothing of the subject, so old stuff is a good start.

Chris Shiflett - http://shiflett.org/articles - also have some articles.

Would I use them myself? Nope, I'd look up very specific answers, if needed.

True, but in today's world of online w/e, there's only one thing to prevent SQL Injections.

Validate input, don't convert or strip it!

 

E.g.: preg_match('[a-z0-9]', $x) - if it doesn't validate, don't execute it.

It's damn simple, and yet it's always overlooked.

Link to comment
Share on other sites

True, but in today's world of online w/e, there's only one thing to prevent SQL Injections.

Validate input, don't convert or strip it!

 

E.g.: preg_match('[a-z0-9]', $x) - if it doesn't validate, don't execute it.

It's damn simple, and yet it's always overlooked.

This one always gets me ... I'm trying to understand how this works.

In your example ... only numbers and letters would match or it would return false. If it is true then it is placed into the variable $X.

So if I typed in daviD3, it's true then $X=daviD3.

But if I typed in daviD_3, it's false because an underscore was not part of the matching criteria therefore you would get an error message because of this and $X would not contain anything.

Am I understanding how this works ... or is that wrong?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...