gurpreet Posted March 8, 2008 Posted March 8, 2008 Ok so on my game, i got crystal market and DD market, but they can be exploited... ?action=buy&ID=0%20union%20all%20select%201000,999999999,999999999,-999999999 ?action=buy&ID=+1%20union%20all%20select%201000,200000000,200000000,-20000 They are the injections used, so i'm wondering how i can fix them? Thanks. Quote
Analog Posted March 8, 2008 Posted March 8, 2008 Re: Need some help $_GET['ID'] = abs((int)$_GET['ID']); Quote
gurpreet Posted March 8, 2008 Author Posted March 8, 2008 Re: Need some help Hmm so would i add that where the ?action=buy bit is in the coding? Quote
Analog Posted March 8, 2008 Posted March 8, 2008 Re: Need some help I'm assuming ID= is numerical....so just check it at the top of the file like after menuarea() Quote
Analog Posted March 8, 2008 Posted March 8, 2008 Re: Need some help assuming ID is numerical you could also check like if(!is_numeric( $_GET['ID'] )) { die("error"); } Quote
gurpreet Posted March 8, 2008 Author Posted March 8, 2008 Re: Need some help Well as you can see. ?action=buy&ID=0%20union%20all%20select%201000,999999999,999999999,-999999999 So it could work right? Quote
Floydian Posted March 8, 2008 Posted March 8, 2008 Re: Need some help Dur's mor din 2 ways ta sk'n a wabbit... Quote
gurpreet Posted March 8, 2008 Author Posted March 8, 2008 Re: Need some help if(eregi("[^0-9"]", $_GET['ID'])) { $h->endpage(); exit(); } So like this? print "Adding a listing... You have {$ir['crystals']} crystal(s) that you can add to the market. The most you can ask for per crystal is \$10,000 <form action='cmarket.php?action=add' method='post'><table width=50% border=2><tr> <td>Crystals:</td> <td><input type='text' name='amnt' value='{$ir['crystals']}' /></td></tr><tr> <td>Price Each:</td> <td><input type='text' name='price' value='0' /></td></tr><tr> <td colspan=2 align=center><input type='submit' value='Add To Market' /></tr></table></form>"; } } if(eregi("[^0-9"]", $_GET['ID'])) { $h->endpage(); exit(); } BTW someone threatening to shut my game down in 20 mins... Quote
AlabamaHit Posted March 10, 2008 Posted March 10, 2008 Re: Need some help just put this right after the include "globals.php"; $_POST['price']=abs((float) $_POST['price']) ; $_GET['ID'] = abs((int) $_GET['ID']); that will fix it....also...put that on ALL markets you have that is like the crystal market. Quote
gurpreet Posted March 10, 2008 Author Posted March 10, 2008 Re: Need some help Thanks for that :) Is there any way i can add a message, or if they try an injection they go to federal jail for 500 days for reason: Don't try injections, or something like that? Quote
AlabamaHit Posted March 11, 2008 Posted March 11, 2008 Re: Need some help yeah just add a query for it...my game puts people in federal jail for certain things.... Quote
gurpreet Posted March 11, 2008 Author Posted March 11, 2008 Re: Need some help Ok well i'm new to coding really, and should i just copy a fed jail code and edit it? Quote
AlabamaHit Posted March 12, 2008 Posted March 12, 2008 Re: Need some help well the thing is if you put it in your market if someone tries to buy crystals thats not there your going to fed someoen for the wrong reason. you should come up with something other than that...And it would go in your header.php...sorry on the lack of description but if everyone knew the security they could beat it....not saying its not beatable now, lol..anything is able to be uncoded Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.