SQL Injection,. Help to Prevent Please :D

[jedigunz]

Hi Everyone its been a while since I've been on the forums but was hoping someone could help

Has anyone got a piece of script to stop this SQL injection ??

cmarket.php?action=buy&ID=1 union all select 1,99999999,0,0

I used to have something that went in the header.php to stop SQL Injections can anyone lend a hand please ??

-JediGunz

[Dominion]

This should have been patched. Have you download the latest version?

It should be fairly simple if it wasn't. Check, and sanitize the $_GET before passing anything. http://php.net/manual/en/filter.filters.validate.php

If it's been updated to use mysqli use prepared statements, but something tells me they haven't updated for newer versions.

If you need help fixing the specific problem I'll need to see more. I haven't seen an mccodes file in a long time.

[jedigunz]

This should have been patched. Have you download the latest version?

It should be fairly simple if it wasn't. Check, and sanitize the $_GET before passing anything. http://php.net/manual/en/filter.filters.validate.php

If it's been updated to use mysqli use prepared statements, but something tells me they haven't updated for newer versions.

If you need help fixing the specific problem I'll need to see more. I haven't seen an mccodes file in a long time.

Thing is with v2 ,. I got the original version maybe around 10 years ago when it first come out,. I no longer have access to the email accounts that it was purchased with lool,. there's a few injections possible like this,. I have no idea about SQL injections and how to prevent them, what would you need to look at maybe i can post it here

[NonStopCoding]

a simple fix up would be

$_GET['ID'] = abs(intval($_GET['ID']));

 

also if its not already done you need to check if the id is empty using the function

empty()

.

[jedigunz]

Fixed It !! this worked in the header.php

 

-=-=-=-=--=-=-=--=-=-=-=-=-=-=-=-

 

$hc = $set['hospital_count'];
	$jc = $set['jail_count'];
	$ec = $ir['new_events'];
	$mc = $ir['new_mail'];

$ids_checkpost=urldecode($_SERVER['QUERY_STRING']);
if(eregi("[\'|'/'\''<'>'*'~'`']",$ids_checkpost) || strstr($ids_checkpost,'union') || strstr($ids_checkpost,'java') || strstr($ids_checkpost,'script') || strstr($ids_checkpost,'substring(') || strstr($ids_checkpost,'ord()')){

$passed=0;
echo "<center>What are you trying to do? whatever it is stop it!</center>"; // or blank so they not know they failed..
event_add(3,"<font color=red>".$ir['username']."</font> <b> Tried to use [".$_SERVER['SCRIPT_NAME']."{$ids_checkpost}].. ");
exit;
}

[NonStopCoding]

Fixed It !! this worked in the header.php

 

-=-=-=-=--=-=-=--=-=-=-=-=-=-=-=-

 

$hc = $set['hospital_count'];
	$jc = $set['jail_count'];
	$ec = $ir['new_events'];
	$mc = $ir['new_mail'];

$ids_checkpost=urldecode($_SERVER['QUERY_STRING']);
if(eregi("[\'|'/'\''<'>'*'~'`']",$ids_checkpost) || strstr($ids_checkpost,'union') || strstr($ids_checkpost,'java') || strstr($ids_checkpost,'script') || strstr($ids_checkpost,'substring(') || strstr($ids_checkpost,'ord()')){

$passed=0;
echo "<center>What are you trying to do? whatever it is stop it!</center>"; // or blank so they not know they failed..
event_add(3,"<font color=red>".$ir['username']."</font> <b> Tried to use [".$_SERVER['SCRIPT_NAME']."{$ids_checkpost}].. ");
exit;
}

just to let you know that eregi is deprecated now and wont be used in later versions or already not being used i believe its preg_match now correct me if iam wrong?

[jedigunz]

just to let you know that eregi is deprecated now and wont be used in later versions or already not being used i believe its preg_match now correct me if iam wrong?

with the v2 version I've got i have to use PHP-4.2 or PHP-4.3 ,..

as it relies on Magic Quotes and Magic Quotes has been permanent false from PHP-4.4 ,.

really annoying to be honest,.. but don't really notice it as i have to use an older version anyway

do you own http://nonstopcoding.com/ by the way ??

[Dominion]

Thing is with v2 ,. I got the original version maybe around 10 years ago when it first come out,. I no longer have access to the email accounts that it was purchased with lool,. there's a few injections possible like this,. I have no idea about SQL injections and how to prevent them, what would you need to look at maybe i can post it here

[MENTION=68711]KyleMassacre[/MENTION] seems to be supporting Mccodes so maybe he could check your old E-mail and update the account. Also try [MENTION=52003]Dave Macaulay[/MENTION] , [MENTION=50368]Dabomstew[/MENTION] , and [MENTION=50433]ColdBlooded[/MENTION] .

I really hope every tag gives them an E-mail. CB and dabs might answer...

Anyway since it's using the buy function you could post that.

Fixed It !! this worked in the header.php

 

-=-=-=-=--=-=-=--=-=-=-=-=-=-=-=-

 

$hc = $set['hospital_count'];
	$jc = $set['jail_count'];
	$ec = $ir['new_events'];
	$mc = $ir['new_mail'];

$ids_checkpost=urldecode($_SERVER['QUERY_STRING']);
if(eregi("[\'|'/'\''<'>'*'~'`']",$ids_checkpost) || strstr($ids_checkpost,'union') || strstr($ids_checkpost,'java') || strstr($ids_checkpost,'script') || strstr($ids_checkpost,'substring(') || strstr($ids_checkpost,'ord()')){

$passed=0;
echo "<center>What are you trying to do? whatever it is stop it!</center>"; // or blank so they not know they failed..
event_add(3,"<font color=red>".$ir['username']."</font> <b> Tried to use [".$_SERVER['SCRIPT_NAME']."{$ids_checkpost}].. ");
exit;
}

Don't use a header.php script to check things. A lot of "quick fix" codes went around when Mccodes came out, and since. They have never been good ideas.

 

with the v2 version I've got i have to use PHP-4.2 or PHP-4.3 ,..

as it relies on Magic Quotes and Magic Quotes has been permanent false from PHP-4.4 ,.

really annoying to be honest,.. but don't really notice it as i have to use an older version anyway

do you own http://nonstopcoding.com/ by the way ??

Magic quotes have never been a working part of PHP. Please don't use them. Even more so if it means using such an old PHP version.

Edited December 11, 2015 by Dominion

[jedigunz]

[MENTION=68711]KyleMassacre[/MENTION] seems to be supporting Mccodes so maybe he could check your old E-mail and update the account. Also try [MENTION=52003]Dave Macaulay[/MENTION] , [MENTION=50368]Dabomstew[/MENTION] , and [MENTION=50433]ColdBlooded[/MENTION] .

I really hope every tag gives them an E-mail. CB and dabs might answer...

Anyway since it's using the buy function you could post that.

Don't use a header.php script to check things. A lot of "quick fix" codes went around when Mccodes came out, and since. They have never been good ideas.

Magic quotes have never been a working part of PHP. Please don't use them. Even more so if it means using such an old PHP version.

 

So doesn't the new version of mcv2 use Magic Quotes then ?? ,. and also has SQL Injection prevention in place and more stable ??

[KyleMassacre]

Yep Dom I get the emails (faster than topic replies). If you get me the email or domain you used to license your game I can see what I can do for you. But yes, all you really need is abs(int($_GET['id'])); and that should fix it. The link Dom gave you is also excellent when you upgrade to PHP > 5*

- - - Updated - - -

It is more secure than V2. It checks to see if you have magic quotes enabled and sanitizes stuff if it does/does not. But GMQ has been determined really bad so has been disabled by default now in later PHP versions

[KyleMassacre]

I think I figured out that dumb "- - - UPDATED - - -" thing. Seems if you post again, it will update your latest post so this is a test haha

- - - Updated - - -

Maybe not?

[jedigunz]

Yep Dom I get the emails (faster than topic replies). If you get me the email or domain you used to license your game I can see what I can do for you. But yes, all you really need is abs(int($_GET['id'])); and that should fix it. The link Dom gave you is also excellent when you upgrade to PHP > 5*

Kyle I Think I had you on MSN along with ColdBlooded around 8-10 years ago,. I used so many emails and probably kept started and stopped about 30 websites ,. does [email protected] or [email protected] or [email protected] come up at all,. ??

(edited)

,. oh i am php 5 miss typed 4 lool

Edited December 11, 2015 by jedigunz

[Dominion]

So doesn't the new version of mcv2 use Magic Quotes then ?? ,. and also has SQL Injection prevention in place and more stable ??

Like I said I haven't seen it in a long time, but if it still uses Magic Quotes I would worry. They have never been a way to secure PHP. They were a flop on that front. The idea was good, but one feature fixes everything approach never works.

All it does is addslashes() everything.

http://php.net/manual/en/security.magicquotes.php

Yep Dom I get the emails (faster than topic replies). If you get me the email or domain you used to license your game I can see what I can do for you. But yes, all you really need is abs(int($_GET['id'])); and that should fix it. The link Dom gave you is also excellent when you upgrade to PHP > 5*

- - - Updated - - -

It is more secure than V2. It checks to see if you have magic quotes enabled and sanitizes stuff if it does/does not. But GMQ has been determined really bad so has been disabled by default now in later PHP versions

The E-mail comment was aimed at CB, and dabs. Not the staff members that check the forums anyway. I tagged you and Dave because I figured you would check the forums, and get the notification the site gives you.

[KyleMassacre]

Kyle I Think I had you on MSN along with ColdBlooded around 8-10 years ago,. I used so many emails and probably kept started and stopped about 30 websites ,. does [email protected] or [email protected] or [email protected] come up at all,. ??

(edited)

,. oh i am php 5 miss typed 4 lool

if you give me your first and last name I could find it that way

[jedigunz]

if you give me your first and last name I could find it that way

again I used a fake name with paypal as I was only 13 at the time :p ,. I'm 23 now ,. my names Luke Dunne but think I used James something lool

[Dominion]

again I used a fake name with paypal as I was only 13 at the time :p ,. I'm 23 now ,. my names Luke Dunne but think I used James something lool

PayPal don't check anything do they? Super secure... unless you spend money then we don't care. O.o

[jedigunz]

PayPal don't check anything do they? Super secure... unless you spend money then we don't care. O.o

cant remember name I used or email or address on that account that's the thing :p,.

don't think there's anything you can do for me unless it comes back to me

[Dominion]

cant remember name I used or email or address on that account that's the thing :p,.

don't think there's anything you can do for me unless it comes back to me

Can't recover your old paypal?

[jedigunz]

Can't recover your old paypal?

no its really bugging me as well,. would love to have the updated version

[Dominion]

no its really bugging me as well,. would love to have the updated version

I don't have a copy myself. Do Mccodes have license keys? Maybe they could match that to your copy?

[KyleMassacre]

Nope nothing popped up with any of those. I found your current account but not any others.

[lucky3809]

If you can afford it just pay for someone to go through the engine you have now and secure it for you. Or by another copy of mccodes for the upgrade.

Or look up on google how to secure, it's really not that hard to do. You just have to have time on your hands to do so, or money lol.

[RJDGaming]

Just leaving this here.

http://teachthe.net/?cat=59

[Dominion]

Just leaving this here.

http://teachthe.net/?cat=59

I forgot about seanybob's website. :)

[NonStopCoding]

with the v2 version I've got i have to use PHP-4.2 or PHP-4.3 ,..

as it relies on Magic Quotes and Magic Quotes has been permanent false from PHP-4.4 ,.

really annoying to be honest,.. but don't really notice it as i have to use an older version anyway

do you own http://nonstopcoding.com/ by the way ??

Yea that's my website