Jump to content
MakeWebGames

SQL Injections


Recommended Posts

I have seen many games that are quite good , but their context is very easily exploitible...

Protecting your site from SQL injections and other hacking Procedures is vital and crucial to your game , because many players will leave if they are not satisfied with the performance of the games staff. Staff Should make sure SQL injections dont take place , and if they do they should be well prepared for it. We all saw what hapened to TC ...

So lets start , SQL stands for Structured Query Language.Most SQL injections take place in ASP or NET , so it may not necisrily hapen in your game.

What is a SQL injection:

SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organizations. It is perhaps one of the most common application layer attack techniques used today. It is the type of attack that takes advantage of improper coding of your web applications that allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within your database. In essence, SQL Injection arises because the fields available for user input allow SQL statements to pass through and query the database directly.

 

---------------------------------------------------------------------------------------------------

Overview

A successful SQL injection attack enables a malicious user to execute commands in your application's database by using the privileges granted to your application's login. The problem is more severe if your application uses an over-privileged account to connect to the database. For example, if your application's login has privileges to eliminate a database, then without adequate safeguards, an attacker might be able to perform this operation.

Common vulnerabilities that make your data access code susceptible to SQL injection attacks include:

Weak input validation.

Dynamic construction of SQL statements without the use of type-safe parameters.

Use of over-privileged database logins.

-------------------------------------------------------------------------------------------

If you are a owner of a game , but dont knmow anything about SQL then you should do the following :

Learn how SQL injection attacks work.

Constrain input to prevent SQL injection.

Use type safe SQL command parameters to prevent SQL injection.

Use a least privileged account to connect to the database.

Learn additional countermeasures to further reduce risk.

 

To counter SQL injection attacks, you need to constrain and sanitize input data. Check for known good data by validating for type, length, format, and range .Use type-safe SQL parameters for data access. Also usse an account that has restricted permissions in the database. Ideally, you should only grant execute permissions to selected stored procedures in the database and provide no direct table access.

 

Some people think IP Security and Secure Socket Layer protect them from such 'hacking' methods , THEY DO NOT !

Usefull Sites:

http://www.acunetix.com/websitesecurity ... ction2.htm

http://www.unixwiz.net/techtips/sql-injection.html

~Sarunas

Link to comment
Share on other sites

  • Replies 74
  • Created
  • Last Reply

Top Posters In This Topic

Re: SQL Injections

One more thing , remember to patch your game :)

Many games , such as MW were exploited , i found a massive bug that i reported to EmotionLess :p All because Tim ( mk5 the owner ) forgot to patch lol

~Sarunas

Link to comment
Share on other sites

Re: SQL Injections

 

One more thing , remember to patch your game :)

Many games , such as MW were exploited , i found a massive bug that i reported to EmotionLess :p All because Tim ( mk5 the owner ) forgot to patch lol

~Sarunas

one time in metro Wars

i put gold bars up for sale and for some reason 9 players were able to buy one set of gold bars

i told one of staff

that problem was fixed

Link to comment
Share on other sites

Re: SQL Injections

OK, so what actions do you think i should give for the database, here are my options, and i've underlined the ones i was planning on giving the mysql user.

Create

Select

References ??

Alter ??

Delete

Insert

Index

Create Temp Tables

Drop

Update

Thoughts?

Lock

Link to comment
Share on other sites

Re: SQL Injections

if its normally:

SELECT * FROM players WHERE name = '$name' AND pass = MD5('$pass')

you could add as the password (if not properly protected)

a') OR MD5('a') = MD5('a

then again, some dont encrypt at all, and sql injection isn't just for logging in, it can be used in almost any input box, and i doubt you hash every record in every row in every table :p

Link to comment
Share on other sites

Re: SQL Injections

I would just like to add a thought. I agree 100% that you have to know about injections to prevent it. I would like to caution though in this forum environment, there are people that read posts made here, that are less than respectable. Some are kids with nothing better to do than steal codes, spam games and more less cause shit for one reason or another. I think that any post made in this topic such as this should be well thought out before one posts. Its a double edged sword. Please just keep in mind that information is good and bad. I would hate to see things posted here become used against people rather than for people. Just my two cents. If theres talk of how to inject there should always be how to secure ones game againt it, in the same post.

Link to comment
Share on other sites

Re: SQL Injections

Well most MC coded games , that are good will be protected , the other that were created just for a quick buck arent ...

And to stop SQL injections i think you would have to learn the basics , but i understand your point...

Link to comment
Share on other sites

Re: SQL Injections

 

so all the people have to do is inject an sql command into the login form? (do they inject on udername and password or one of them only?)

They take place in text boxes , but i believe to hack someone you would use the loging and user input box ...

Link to comment
Share on other sites

Guest Anonymous

Re: SQL Injections

you don't even need to do all this to hack a game, just one lil program i can not name. but it will give you access to all scripts within that domain

Link to comment
Share on other sites

Re: SQL Injections

SQL injection is a variety of techniques that all have the goal of letting an attacker run whichever SQL statements they want in your database. Unlike many hacking techniques the attacker is not trying to get direct access to the database by for instance stealing or cracking a password or exploiting a bug in the DBMS, even though they may use SQL injection to set up a backdoor that would later give them direct access.

Depends what exactly you want to do...

Link to comment
Share on other sites

Guest Anonymous

Re: SQL Injections

yes, i know what sql injections are, but if your going to protect your game you need to protect it from all things. a good way is using htaccess files in each folder with mod_rewrite turned on which makes it just a lil more difficult to exploit

Link to comment
Share on other sites

Re: SQL Injections

yeah, always validate your input. If using mysql use mysql_real_escape_string to strip '`; etc. If not using mysql use addslashes.

trim() any spaces from strings, check the legnth of a string strlength i think, and use preg_match to make sure only nice chars allowed.

Link to comment
Share on other sites

Re: SQL Injections

Noelle, I uderstand your point.

ITs true, you have to know what a weakness is before you can fix it ex:

To be a debugger you must first know how to make bugs.

And how old you think i am?

Kid age?

 

you don't even need to do all this to hack a game, just one lil program i can not name. but it will give you access to all scripts within that domain

Go blow, there are not such a thing.

Its the same as md5.

If you give me the program that will actually do it, untill then dream on..

Btw.. I have seen a real program that decrypts md5.(DO NOT ASK ME HOW!!, i will not tell you)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share


×
×
  • Create New...