jedigunz Posted December 11, 2015 Share Posted December 11, 2015 Hi Everyone its been a while since I've been on the forums but was hoping someone could help Has anyone got a piece of script to stop this SQL injection ?? cmarket.php?action=buy&ID=1 union all select 1,99999999,0,0 I used to have something that went in the header.php to stop SQL Injections can anyone lend a hand please ?? -JediGunz Quote Link to comment Share on other sites More sharing options...
Dominion Posted December 11, 2015 Share Posted December 11, 2015 This should have been patched. Have you download the latest version? It should be fairly simple if it wasn't. Check, and sanitize the $_GET before passing anything. http://php.net/manual/en/filter.filters.validate.php If it's been updated to use mysqli use prepared statements, but something tells me they haven't updated for newer versions. If you need help fixing the specific problem I'll need to see more. I haven't seen an mccodes file in a long time. Quote Link to comment Share on other sites More sharing options...
jedigunz Posted December 11, 2015 Author Share Posted December 11, 2015 This should have been patched. Have you download the latest version? It should be fairly simple if it wasn't. Check, and sanitize the $_GET before passing anything. http://php.net/manual/en/filter.filters.validate.php If it's been updated to use mysqli use prepared statements, but something tells me they haven't updated for newer versions. If you need help fixing the specific problem I'll need to see more. I haven't seen an mccodes file in a long time. Thing is with v2 ,. I got the original version maybe around 10 years ago when it first come out,. I no longer have access to the email accounts that it was purchased with lool,. there's a few injections possible like this,. I have no idea about SQL injections and how to prevent them, what would you need to look at maybe i can post it here Quote Link to comment Share on other sites More sharing options...
NonStopCoding Posted December 11, 2015 Share Posted December 11, 2015 a simple fix up would be $_GET['ID'] = abs(intval($_GET['ID'])); also if its not already done you need to check if the id is empty using the function empty() . Quote Link to comment Share on other sites More sharing options...
jedigunz Posted December 11, 2015 Author Share Posted December 11, 2015 Fixed It !! this worked in the header.php -=-=-=-=--=-=-=--=-=-=-=-=-=-=-=- $hc = $set['hospital_count']; $jc = $set['jail_count']; $ec = $ir['new_events']; $mc = $ir['new_mail']; $ids_checkpost=urldecode($_SERVER['QUERY_STRING']); if(eregi("[\'|'/'\''<'>'*'~'`']",$ids_checkpost) || strstr($ids_checkpost,'union') || strstr($ids_checkpost,'java') || strstr($ids_checkpost,'script') || strstr($ids_checkpost,'substring(') || strstr($ids_checkpost,'ord()')){ $passed=0; echo "<center>What are you trying to do? whatever it is stop it!</center>"; // or blank so they not know they failed.. event_add(3,"<font color=red>".$ir['username']."</font> <b> Tried to use [".$_SERVER['SCRIPT_NAME']."{$ids_checkpost}].. "); exit; } Quote Link to comment Share on other sites More sharing options...
NonStopCoding Posted December 11, 2015 Share Posted December 11, 2015 Fixed It !! this worked in the header.php -=-=-=-=--=-=-=--=-=-=-=-=-=-=-=- $hc = $set['hospital_count']; $jc = $set['jail_count']; $ec = $ir['new_events']; $mc = $ir['new_mail']; $ids_checkpost=urldecode($_SERVER['QUERY_STRING']); if(eregi("[\'|'/'\''<'>'*'~'`']",$ids_checkpost) || strstr($ids_checkpost,'union') || strstr($ids_checkpost,'java') || strstr($ids_checkpost,'script') || strstr($ids_checkpost,'substring(') || strstr($ids_checkpost,'ord()')){ $passed=0; echo "<center>What are you trying to do? whatever it is stop it!</center>"; // or blank so they not know they failed.. event_add(3,"<font color=red>".$ir['username']."</font> <b> Tried to use [".$_SERVER['SCRIPT_NAME']."{$ids_checkpost}].. "); exit; } just to let you know that eregi is deprecated now and wont be used in later versions or already not being used i believe its preg_match now correct me if iam wrong? Quote Link to comment Share on other sites More sharing options...
jedigunz Posted December 11, 2015 Author Share Posted December 11, 2015 just to let you know that eregi is deprecated now and wont be used in later versions or already not being used i believe its preg_match now correct me if iam wrong? with the v2 version I've got i have to use PHP-4.2 or PHP-4.3 ,.. as it relies on Magic Quotes and Magic Quotes has been permanent false from PHP-4.4 ,. really annoying to be honest,.. but don't really notice it as i have to use an older version anyway do you own http://nonstopcoding.com/ by the way ?? Quote Link to comment Share on other sites More sharing options...
Dominion Posted December 11, 2015 Share Posted December 11, 2015 (edited) Thing is with v2 ,. I got the original version maybe around 10 years ago when it first come out,. I no longer have access to the email accounts that it was purchased with lool,. there's a few injections possible like this,. I have no idea about SQL injections and how to prevent them, what would you need to look at maybe i can post it here [MENTION=68711]KyleMassacre[/MENTION] seems to be supporting Mccodes so maybe he could check your old E-mail and update the account. Also try [MENTION=52003]Dave Macaulay[/MENTION] , [MENTION=50368]Dabomstew[/MENTION] , and [MENTION=50433]ColdBlooded[/MENTION] . I really hope every tag gives them an E-mail. CB and dabs might answer... Anyway since it's using the buy function you could post that. Fixed It !! this worked in the header.php -=-=-=-=--=-=-=--=-=-=-=-=-=-=-=- $hc = $set['hospital_count']; $jc = $set['jail_count']; $ec = $ir['new_events']; $mc = $ir['new_mail']; $ids_checkpost=urldecode($_SERVER['QUERY_STRING']); if(eregi("[\'|'/'\''<'>'*'~'`']",$ids_checkpost) || strstr($ids_checkpost,'union') || strstr($ids_checkpost,'java') || strstr($ids_checkpost,'script') || strstr($ids_checkpost,'substring(') || strstr($ids_checkpost,'ord()')){ $passed=0; echo "<center>What are you trying to do? whatever it is stop it!</center>"; // or blank so they not know they failed.. event_add(3,"<font color=red>".$ir['username']."</font> <b> Tried to use [".$_SERVER['SCRIPT_NAME']."{$ids_checkpost}].. "); exit; } Don't use a header.php script to check things. A lot of "quick fix" codes went around when Mccodes came out, and since. They have never been good ideas. with the v2 version I've got i have to use PHP-4.2 or PHP-4.3 ,.. as it relies on Magic Quotes and Magic Quotes has been permanent false from PHP-4.4 ,. really annoying to be honest,.. but don't really notice it as i have to use an older version anyway do you own http://nonstopcoding.com/ by the way ?? Magic quotes have never been a working part of PHP. Please don't use them. Even more so if it means using such an old PHP version. Edited December 11, 2015 by Dominion Quote Link to comment Share on other sites More sharing options...
jedigunz Posted December 11, 2015 Author Share Posted December 11, 2015 [MENTION=68711]KyleMassacre[/MENTION] seems to be supporting Mccodes so maybe he could check your old E-mail and update the account. Also try [MENTION=52003]Dave Macaulay[/MENTION] , [MENTION=50368]Dabomstew[/MENTION] , and [MENTION=50433]ColdBlooded[/MENTION] . I really hope every tag gives them an E-mail. CB and dabs might answer... Anyway since it's using the buy function you could post that. Don't use a header.php script to check things. A lot of "quick fix" codes went around when Mccodes came out, and since. They have never been good ideas. Magic quotes have never been a working part of PHP. Please don't use them. Even more so if it means using such an old PHP version. So doesn't the new version of mcv2 use Magic Quotes then ?? ,. and also has SQL Injection prevention in place and more stable ?? Quote Link to comment Share on other sites More sharing options...
KyleMassacre Posted December 11, 2015 Share Posted December 11, 2015 Yep Dom I get the emails (faster than topic replies). If you get me the email or domain you used to license your game I can see what I can do for you. But yes, all you really need is abs(int($_GET['id'])); and that should fix it. The link Dom gave you is also excellent when you upgrade to PHP > 5* - - - Updated - - - It is more secure than V2. It checks to see if you have magic quotes enabled and sanitizes stuff if it does/does not. But GMQ has been determined really bad so has been disabled by default now in later PHP versions Quote Link to comment Share on other sites More sharing options...
KyleMassacre Posted December 11, 2015 Share Posted December 11, 2015 I think I figured out that dumb "- - - UPDATED - - -" thing. Seems if you post again, it will update your latest post so this is a test haha - - - Updated - - - Maybe not? Quote Link to comment Share on other sites More sharing options...
jedigunz Posted December 11, 2015 Author Share Posted December 11, 2015 (edited) Yep Dom I get the emails (faster than topic replies). If you get me the email or domain you used to license your game I can see what I can do for you. But yes, all you really need is abs(int($_GET['id'])); and that should fix it. The link Dom gave you is also excellent when you upgrade to PHP > 5* Kyle I Think I had you on MSN along with ColdBlooded around 8-10 years ago,. I used so many emails and probably kept started and stopped about 30 websites ,. does [email protected] or [email protected] or [email protected] come up at all,. ?? (edited) ,. oh i am php 5 miss typed 4 lool Edited December 11, 2015 by jedigunz Quote Link to comment Share on other sites More sharing options...
Dominion Posted December 11, 2015 Share Posted December 11, 2015 So doesn't the new version of mcv2 use Magic Quotes then ?? ,. and also has SQL Injection prevention in place and more stable ?? Like I said I haven't seen it in a long time, but if it still uses Magic Quotes I would worry. They have never been a way to secure PHP. They were a flop on that front. The idea was good, but one feature fixes everything approach never works. All it does is addslashes() everything. http://php.net/manual/en/security.magicquotes.php Yep Dom I get the emails (faster than topic replies). If you get me the email or domain you used to license your game I can see what I can do for you. But yes, all you really need is abs(int($_GET['id'])); and that should fix it. The link Dom gave you is also excellent when you upgrade to PHP > 5* - - - Updated - - - It is more secure than V2. It checks to see if you have magic quotes enabled and sanitizes stuff if it does/does not. But GMQ has been determined really bad so has been disabled by default now in later PHP versions The E-mail comment was aimed at CB, and dabs. Not the staff members that check the forums anyway. I tagged you and Dave because I figured you would check the forums, and get the notification the site gives you. Quote Link to comment Share on other sites More sharing options...
KyleMassacre Posted December 11, 2015 Share Posted December 11, 2015 Kyle I Think I had you on MSN along with ColdBlooded around 8-10 years ago,. I used so many emails and probably kept started and stopped about 30 websites ,. does [email protected] or [email protected] or [email protected] come up at all,. ?? (edited) ,. oh i am php 5 miss typed 4 lool if you give me your first and last name I could find it that way Quote Link to comment Share on other sites More sharing options...
jedigunz Posted December 11, 2015 Author Share Posted December 11, 2015 if you give me your first and last name I could find it that way again I used a fake name with paypal as I was only 13 at the time :p ,. I'm 23 now ,. my names Luke Dunne but think I used James something lool Quote Link to comment Share on other sites More sharing options...
Dominion Posted December 11, 2015 Share Posted December 11, 2015 again I used a fake name with paypal as I was only 13 at the time :p ,. I'm 23 now ,. my names Luke Dunne but think I used James something lool PayPal don't check anything do they? Super secure... unless you spend money then we don't care. O.o Quote Link to comment Share on other sites More sharing options...
jedigunz Posted December 11, 2015 Author Share Posted December 11, 2015 PayPal don't check anything do they? Super secure... unless you spend money then we don't care. O.o cant remember name I used or email or address on that account that's the thing :p,. don't think there's anything you can do for me unless it comes back to me Quote Link to comment Share on other sites More sharing options...
Dominion Posted December 11, 2015 Share Posted December 11, 2015 cant remember name I used or email or address on that account that's the thing :p,. don't think there's anything you can do for me unless it comes back to me Can't recover your old paypal? Quote Link to comment Share on other sites More sharing options...
jedigunz Posted December 11, 2015 Author Share Posted December 11, 2015 Can't recover your old paypal? no its really bugging me as well,. would love to have the updated version Quote Link to comment Share on other sites More sharing options...
Dominion Posted December 11, 2015 Share Posted December 11, 2015 no its really bugging me as well,. would love to have the updated version I don't have a copy myself. Do Mccodes have license keys? Maybe they could match that to your copy? Quote Link to comment Share on other sites More sharing options...
KyleMassacre Posted December 11, 2015 Share Posted December 11, 2015 Nope nothing popped up with any of those. I found your current account but not any others. Quote Link to comment Share on other sites More sharing options...
lucky3809 Posted December 12, 2015 Share Posted December 12, 2015 If you can afford it just pay for someone to go through the engine you have now and secure it for you. Or by another copy of mccodes for the upgrade. Or look up on google how to secure, it's really not that hard to do. You just have to have time on your hands to do so, or money lol. Quote Link to comment Share on other sites More sharing options...
RJDGaming Posted December 12, 2015 Share Posted December 12, 2015 Just leaving this here. http://teachthe.net/?cat=59 1 Quote Link to comment Share on other sites More sharing options...
Dominion Posted December 12, 2015 Share Posted December 12, 2015 Just leaving this here. http://teachthe.net/?cat=59 I forgot about seanybob's website. :) Quote Link to comment Share on other sites More sharing options...
NonStopCoding Posted December 13, 2015 Share Posted December 13, 2015 with the v2 version I've got i have to use PHP-4.2 or PHP-4.3 ,.. as it relies on Magic Quotes and Magic Quotes has been permanent false from PHP-4.4 ,. really annoying to be honest,.. but don't really notice it as i have to use an older version anyway do you own http://nonstopcoding.com/ by the way ?? Yea that's my website Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.