Aqua Posted April 12, 2007 Share Posted April 12, 2007 I have seen many games that are quite good , but their context is very easily exploitible... Protecting your site from SQL injections and other hacking Procedures is vital and crucial to your game , because many players will leave if they are not satisfied with the performance of the games staff. Staff Should make sure SQL injections dont take place , and if they do they should be well prepared for it. We all saw what hapened to TC ... So lets start , SQL stands for Structured Query Language.Most SQL injections take place in ASP or NET , so it may not necisrily hapen in your game. What is a SQL injection: SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organizations. It is perhaps one of the most common application layer attack techniques used today. It is the type of attack that takes advantage of improper coding of your web applications that allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within your database. In essence, SQL Injection arises because the fields available for user input allow SQL statements to pass through and query the database directly. --------------------------------------------------------------------------------------------------- Overview A successful SQL injection attack enables a malicious user to execute commands in your application's database by using the privileges granted to your application's login. The problem is more severe if your application uses an over-privileged account to connect to the database. For example, if your application's login has privileges to eliminate a database, then without adequate safeguards, an attacker might be able to perform this operation. Common vulnerabilities that make your data access code susceptible to SQL injection attacks include: Weak input validation. Dynamic construction of SQL statements without the use of type-safe parameters. Use of over-privileged database logins. ------------------------------------------------------------------------------------------- If you are a owner of a game , but dont knmow anything about SQL then you should do the following : Learn how SQL injection attacks work. Constrain input to prevent SQL injection. Use type safe SQL command parameters to prevent SQL injection. Use a least privileged account to connect to the database. Learn additional countermeasures to further reduce risk. To counter SQL injection attacks, you need to constrain and sanitize input data. Check for known good data by validating for type, length, format, and range .Use type-safe SQL parameters for data access. Also usse an account that has restricted permissions in the database. Ideally, you should only grant execute permissions to selected stored procedures in the database and provide no direct table access. Some people think IP Security and Secure Socket Layer protect them from such 'hacking' methods , THEY DO NOT ! Usefull Sites: http://www.acunetix.com/websitesecurity ... ction2.htm http://www.unixwiz.net/techtips/sql-injection.html ~Sarunas Quote Link to comment Share on other sites More sharing options...
Decepti0n Posted April 12, 2007 Share Posted April 12, 2007 Re: SQL Injections Yeah, I really should make more permission-specific accounts for mysql Quote Link to comment Share on other sites More sharing options...
Aqua Posted April 12, 2007 Author Share Posted April 12, 2007 Re: SQL Injections One more thing , remember to patch your game :) Many games , such as MW were exploited , i found a massive bug that i reported to EmotionLess :p All because Tim ( mk5 the owner ) forgot to patch lol ~Sarunas Quote Link to comment Share on other sites More sharing options...
Vorless DarkChaos Posted April 12, 2007 Share Posted April 12, 2007 Re: SQL Injections One more thing , remember to patch your game :) Many games , such as MW were exploited , i found a massive bug that i reported to EmotionLess :p All because Tim ( mk5 the owner ) forgot to patch lol ~Sarunas one time in metro Wars i put gold bars up for sale and for some reason 9 players were able to buy one set of gold bars i told one of staff that problem was fixed Quote Link to comment Share on other sites More sharing options...
Aqua Posted April 12, 2007 Author Share Posted April 12, 2007 Re: SQL Injections mmmm , i agree 'anything' OR 'x' = 'x' is very common Quote Link to comment Share on other sites More sharing options...
Aqua Posted April 12, 2007 Author Share Posted April 12, 2007 Re: SQL Injections What does it do though ? Quote Link to comment Share on other sites More sharing options...
Decepti0n Posted April 12, 2007 Share Posted April 12, 2007 Re: SQL Injections it becomes SELECT * FROM users WHERE name = 'jack' AND pass = 'anything' OR 'x' = 'x' Quote Link to comment Share on other sites More sharing options...
Aqua Posted April 12, 2007 Author Share Posted April 12, 2007 Re: SQL Injections Ahhh , thank you for that :) Quote Link to comment Share on other sites More sharing options...
ignite Posted April 12, 2007 Share Posted April 12, 2007 Re: SQL Injections It all seems very confusing.... Quote Link to comment Share on other sites More sharing options...
Jake Posted April 12, 2007 Share Posted April 12, 2007 Re: SQL Injections OK, so what actions do you think i should give for the database, here are my options, and i've underlined the ones i was planning on giving the mysql user. Create Select References ?? Alter ?? Delete Insert Index Create Temp Tables Drop Update Thoughts? Lock Quote Link to comment Share on other sites More sharing options...
Jake Posted April 12, 2007 Share Posted April 12, 2007 Re: SQL Injections Surely i need to have DELETE for inventory, and points market, and all stuff like that? Quote Link to comment Share on other sites More sharing options...
twist_killer Posted April 12, 2007 Share Posted April 12, 2007 Re: SQL Injections so all the people have to do is inject an sql command into the login form? (do they inject on udername and password or one of them only?) Quote Link to comment Share on other sites More sharing options...
Decepti0n Posted April 12, 2007 Share Posted April 12, 2007 Re: SQL Injections if its normally: SELECT * FROM players WHERE name = '$name' AND pass = MD5('$pass') you could add as the password (if not properly protected) a') OR MD5('a') = MD5('a then again, some dont encrypt at all, and sql injection isn't just for logging in, it can be used in almost any input box, and i doubt you hash every record in every row in every table :p Quote Link to comment Share on other sites More sharing options...
Raptor_Jesus Posted April 13, 2007 Share Posted April 13, 2007 Re: SQL Injections I would just like to add a thought. I agree 100% that you have to know about injections to prevent it. I would like to caution though in this forum environment, there are people that read posts made here, that are less than respectable. Some are kids with nothing better to do than steal codes, spam games and more less cause shit for one reason or another. I think that any post made in this topic such as this should be well thought out before one posts. Its a double edged sword. Please just keep in mind that information is good and bad. I would hate to see things posted here become used against people rather than for people. Just my two cents. If theres talk of how to inject there should always be how to secure ones game againt it, in the same post. Quote Link to comment Share on other sites More sharing options...
Aqua Posted April 13, 2007 Author Share Posted April 13, 2007 Re: SQL Injections Well most MC coded games , that are good will be protected , the other that were created just for a quick buck arent ... And to stop SQL injections i think you would have to learn the basics , but i understand your point... Quote Link to comment Share on other sites More sharing options...
Aqua Posted April 13, 2007 Author Share Posted April 13, 2007 Re: SQL Injections so all the people have to do is inject an sql command into the login form? (do they inject on udername and password or one of them only?) They take place in text boxes , but i believe to hack someone you would use the loging and user input box ... Quote Link to comment Share on other sites More sharing options...
Guest Anonymous Posted April 13, 2007 Share Posted April 13, 2007 Re: SQL Injections you don't even need to do all this to hack a game, just one lil program i can not name. but it will give you access to all scripts within that domain Quote Link to comment Share on other sites More sharing options...
Aqua Posted April 13, 2007 Author Share Posted April 13, 2007 Re: SQL Injections SQL injection is a variety of techniques that all have the goal of letting an attacker run whichever SQL statements they want in your database. Unlike many hacking techniques the attacker is not trying to get direct access to the database by for instance stealing or cracking a password or exploiting a bug in the DBMS, even though they may use SQL injection to set up a backdoor that would later give them direct access. Depends what exactly you want to do... Quote Link to comment Share on other sites More sharing options...
Guest Anonymous Posted April 13, 2007 Share Posted April 13, 2007 Re: SQL Injections yes, i know what sql injections are, but if your going to protect your game you need to protect it from all things. a good way is using htaccess files in each folder with mod_rewrite turned on which makes it just a lil more difficult to exploit Quote Link to comment Share on other sites More sharing options...
hamster01 Posted April 13, 2007 Share Posted April 13, 2007 Re: SQL Injections not if i do a blind sql injection lol Quote Link to comment Share on other sites More sharing options...
mikey1090 Posted April 15, 2007 Share Posted April 15, 2007 Re: SQL Injections yeah, always validate your input. If using mysql use mysql_real_escape_string to strip '`; etc. If not using mysql use addslashes. trim() any spaces from strings, check the legnth of a string strlength i think, and use preg_match to make sure only nice chars allowed. Quote Link to comment Share on other sites More sharing options...
Decepti0n Posted April 15, 2007 Share Posted April 15, 2007 Re: SQL Injections you don't even need to do all this to hack a game, just one lil program i can not name. but it will give you access to all scripts within that domain Oh whatever Quote Link to comment Share on other sites More sharing options...
hamster01 Posted April 15, 2007 Share Posted April 15, 2007 Re: SQL Injections Noelle, I uderstand your point. ITs true, you have to know what a weakness is before you can fix it ex: To be a debugger you must first know how to make bugs. And how old you think i am? Kid age? you don't even need to do all this to hack a game, just one lil program i can not name. but it will give you access to all scripts within that domain Go blow, there are not such a thing. Its the same as md5. If you give me the program that will actually do it, untill then dream on.. Btw.. I have seen a real program that decrypts md5.(DO NOT ASK ME HOW!!, i will not tell you) Quote Link to comment Share on other sites More sharing options...
Decepti0n Posted April 15, 2007 Share Posted April 15, 2007 Re: SQL Injections Your MD5 program sounds just like his file listing program :) Quote Link to comment Share on other sites More sharing options...
hamster01 Posted April 15, 2007 Share Posted April 15, 2007 Re: SQL Injections lol, no Just some number crunching. I seen it on some website. Had to be real for it to be there. ;) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.