Jump to content
MakeWebGames

SQL Injections

Aqua
 Share

Recommended Posts

Isomerizer Newbie

Isomerizer

Posted
Posted

Re: SQL Injections

 

MD5 can't be decrypted..

They use a huge database.

Dont mean to rain on your parade there but I think they can be decrypted.

 

Md5 Hash: efe6398127928f1b2e9ef3207fb82663
Normal Text: qweqwe

 

Well Whoop de Whoop I just decrpyted the most basic letter password you could think of :D

You really decrypted that all by yourself? With no comparison's or not using them big database sites with thousands of MD5 strings in them...

Link to comment
Share on other sites
  • Replies 74
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

  • 4 weeks later...
  • 2 weeks later...
riderdaz Newbie

riderdaz

Posted
Posted

Re: SQL Injections

 

Anyone who wants help with SQL injections, contact me :)

im so tired and can't be asked to keep trying loads of different functions can someone post a working one here i just ain't got a clue about sql i will learn tomorrow :|

Link to comment
Share on other sites
  • 3 weeks later...
overklokan Newbie

overklokan

Posted
Posted

Re: SQL Injections

 

Anyone who wants help with SQL injections, contact me :)

im so tired and can't be asked to keep trying loads of different functions can someone post a working one here i just ain't got a clue about sql i will learn tomorrow :|

it's not about sql, it's about php ... mysql is doing just what php asks it to do ... filters are part of .php code, and while many

are very complicated, there's no need for that if you KNOW what type of data user can submit ... one of the first line of defense

are JavaScript validators, they work on client-side (user browser) and can be set to filter ANY unwanted characters from data

that user inputs inside his browser ... next thing is to make sure your submit buttons don't work when JavaScript is disabled in

users' browser, otherwise validators are not helping at all ... on top of that, exactly the same kind of filter (or stronger) must be

set on server side (in case that hacker avoid all client-side defenses)

what is great with this aproach is that you will instantly know if you have "business" with good hacker or not ... for example, if you

expect that user submit only numbers and you have JavaScript validator to filter that on client-side, on any non-number character

sent to server you know that you are dealing with someone who is not kiddy playing with others' hack-programs ! if so, kick him out

game immidiately ;o))

Link to comment
Share on other sites
Guest Anonymous

Guest Anonymous

Posted
Posted

Re: SQL Injections

However you should never assume the user has javascript enabled. Most my peers have javascript permanently disabled across the board for security reasons and enabled it only where absolutely necessary.

The other issue is disabling submit buttons on the client side will not help you at all. I don't care if they are disabled or not - I can still "post" data straight onto the server.

Client side validation is useful, but server side must always be done 100%.

Link to comment
Share on other sites
overklokan Newbie

overklokan

Posted
Posted

Re: SQL Injections

 

However you should never assume the user has javascript enabled. Most my peers have javascript permanently disabled across the board for security reasons and enabled it only where absolutely necessary.

The other issue is disabling submit buttons on the client side will not help you at all. I don't care if they are disabled or not - I can still "post" data straight onto the server.

Client side validation is useful, but server side must always be done 100%.

i do not asume, i reject anyone that has it disabled. no JS no game ... however, most sites

that 4n4lyze internet traffic rate JS enabled at around 90%+ ... for example:

JavaScript Stats

Fri Feb 1 00:01:02 2008 - Fri Feb 29 23:58:01 2008 29.0 Days

Javascript 1.2+: 6174899 (94%)

Javascript <1.2: 10916 (0%)

Javascript false: 335034 (5%)

source: http://www.thecounter.com/stats/2008/Fe ... rowser.php (JS and other stats

are on the right from browser stats)

if you know how to "post" data to server than you are NOT in the group JS validation is added for :wink:

Link to comment
Share on other sites
Guest Anonymous

Guest Anonymous

Posted
Posted

Re: SQL Injections

Remember, I can spoof you - Your server will think I have it enabled, when it fact it is disabled... Single stepping through javascript is not difficult, injecting innerHTML is not difficult, protecting against it ... is. Server side validation has to be thought out extremely carefully otherwise you can run into some expensive problems.

Link to comment
Share on other sites
Floydian Newbie

Floydian

Posted
Posted

Re: SQL Injections

I look at it this way, I could care less if someone wants to try and hack my game. Let em at it, and they can teach me something if they find a security hole, therefore, just because someone submits data in a way that isn't what *should* be submitted I wouldn't ban them from the site. I've seen staff fed people way to soon when if they had let them do their thing for a bit longer, a bigger problem might have been uncovered.

With that philosophy in mind, while I see the value in client side validation, I am with Nyna on this one in that it has to be 100% server side validation and I think that if you're going to validate server side 100%, validating client side is merely a redundancy. (Of course, like it's been said, if they bypass the validation then you know you've got someone that has some skillz)

Going back to riderdaz, it seems to me that they want someone to do it for them. All this talk of server side and client side crap prolly sounds like hogwash to them. Correct me if I'm wrong please, but could you do it?

So, read, study, practice, and practice some more rider!

Link to comment
Share on other sites
Guest Anonymous

Guest Anonymous

Posted
Posted

Re: SQL Injections

Well I use client side to reduce the amount to traffic being sent back to server then back out to the client, so it does server a purpose.

With regard to hacking games, yes, I agree, I have no issue with someone trying, however if anyone does bypass the security measures in place be prepared for trouble. If we as game-owners sell donator packs etc, then upsetting a possible large number of donators may have legal repercussions (I'm no legal boffin, but isn't there something in the distance selling regulations?)

What amazes me is just how easy it is to prevent SQL injection - or at least a very high % of it. There are several topics and posts in these very forums on that subject, and yet daily I see a new games spring up only to be hacked often with 48 hours.

Link to comment
Share on other sites
overklokan Newbie

overklokan

Posted
Posted

Re: SQL Injections

 

Well I use client side to reduce the amount to traffic being sent back to server then back out to the client, so it does server a purpose.

With regard to hacking games, yes, I agree, I have no issue with someone trying, however if anyone does bypass the security measures in place be prepared for trouble. If we as game-owners sell donator packs etc, then upsetting a possible large number of donators may have legal repercussions (I'm no legal boffin, but isn't there something in the distance selling regulations?)

What amazes me is just how easy it is to prevent SQL injection - or at least a very high % of it. There are several topics and posts in these very forums on that subject, and yet daily I see a new games spring up only to be hacked often with 48 hours.

true, true ... don't get me wrong, maybe it ended looking like that, but i don't think one DON'T need server-side

filtering of user data ... i just proposed JS as step 1 in building defense ... it will protect from to-be-hacker kids

and also can reduce traffic/requests to server ... about prevention = general rule is that "the more freedom you

give to user the worse" = filtering complex user input is not easy ... on one site i found nice advices, like "if you

can do it so user submit only numbers do it" ! prevention than is much easier, cause one can use .php things to

check if submited data is number ... if not, well ...

Link to comment
Share on other sites
Floydian Newbie

Floydian

Posted
Posted

Re: SQL Injections

To the question of legal culpability by the website if they get hacked I don't think that's so.

There are a number of problems inherent in the "customer's" ability to seek legal damages. The first of which is the likely hood of suing someone that is not in the same country the customer is (highly unlikely if the person spent $5 USD). Imagine the costs involved...

Second, and most important, they are "donations" with no service implied. You simply donate your money at your own risk.

There's absolutely no way anyone can sue a website for something of that nature and expect to win.

And last in my mind is the fact that they aren't going to be able to delete your pay pal records and they aren't going to be able to delete your offsite backups.

Add to this the fact that the pentagon suffers breaches of security all the time, and supposedly military/govt security is the best money can buy, so there's no way to 100% protect the site. My experience with players is that if a site goes down for a day they will be grateful when it's back up the next day and a very recent backup is used to restore most of what they had.

There's always the bad apple and I've put one or two people in "FED" where they've turned around and threatened legal action if they weren't let out. Of course, such a thing hasn't happened yet, as they normally just have pay pal do a charge back lol.

Link to comment
Share on other sites
  • 2 weeks later...
Guest Anonymous

Guest Anonymous

Posted
Posted

Re: SQL Injections

Okay, so consider one particular scenario. I have a large client who is basically an insurance broker. Claims come in to the main floor (120+ seats), are dealt with by an operator and actioned against but setting up meetings with the legal people, surveyors etc.

Now we also have a mechanism to extend the system whereby "home workers" can log in from a remote location and manage the data.

Now, were anybody able to break the extremely tight security (in this case, client-side keys with silly bit-counts), it may be possible to see financial records and possibly manipulate them.

Now the organization itself is covered under the DP act, but that's no real help to anybody who has there details altered. Customers at this stage may well have some legal recourse, although in my case, all I can do is cover my own ass!

As I said, I'm no legal expert and have no wish to follow that route - too much red-tape as it is... but I think it is our duty as developers to produce the tightest code possible and protect our asses/assets as much as possible, after all, it is the people who use the sites we create that (hopefully) bring in the folding stuff.

Link to comment
Share on other sites
  • 9 months later...
Saha Newbie

Saha

Posted
Posted

Re: SQL Injections

I know this topic is old but i was searching for a mod and it appeared so i thought id have a look and feel you missed a valuable thing out,

Sql Injections are the most comon used hacking method the hacker in question would use it to gain access to port 80 a very vulnerable port which has been found difficult to block the safest thing to do to prevent sql attacks is secure all your 'input' and 'output' data. Do not listen to these people who say they will protect your game for a fee as they often dont have a clue as you would have to go through your entire game securing it. Everything is hackable in a game the only possible thing to do it slow them down so you can do something about it or secure it enough so that the hacker will run out of sql injections as most Game Hackers will be people who have picked things up as they go along and have no idea how to make a sql injection or how to search for exploits. This is why you try your best to look into future injections as well as present and past ones as you will face problems in the future.

Now a hacker is evendently breaking the law by even attempting to access your databases so what i suggest is if the hacker is dumb enough to tell you it is him get his ip and hostname and report him to his host to get his internet shut off for "Using Criminal Skills".

There are many ways a hacker can hack into your files, databases even computer.... I will now give you some information on the Ways they can hack your computer.

If the hacker is truely a hacker then he/she will be able to access your computer using a well known Command Prompt, hackers can store these commands in .bat files (Viruses are made in .bat) and then hide it with a combinatio of trojans and hidden ghost files they can be attached to anything such as images, songs, even little messages over msn and sent to you without knowing. Once the file is in your computer a hacker could if he/she has one use a remote file opener(not called that im unsure of the proper name) to open the file on your computer the .bat file will then root through your computer to find the command prompt and use it to controll your computer /or do what it is programmed to do, ie, shut down computer, delete Windows 32, delete files etc...

Although hackers can do this very easily they do not because of an unofficial law by hackers called Classification Priority, which came into affect in about 1993 which is still not known by alot of hackers. This Hacker law means that you are considered a danger if you hack someone without good intensions, this will lower your rep in the hacker society and may also result in a better hacker doing a wipe out (Wiping your computer clean). Alot of hackers today do not know abou this law and do not understand the rules of privacy, although a hacker can do it they will not without good intensions.

I Sorta got muddled up there if it makes no sense then read carefully.

Link to comment
Share on other sites
Sim Community Regular

Sim

Posted
Posted

Re: SQL Injections

 

I know this topic is old but i was searching for a mod and it appeared so i thought id have a look and feel you missed a valuable thing out,

Sql Injections are the most comon used hacking method the hacker in question would use it to gain access to port 80 a very vulnerable port which has been found difficult to block the safest thing to do to prevent sql attacks is secure all your 'input' and 'output' data. Do not listen to these people who say they will protect your game for a fee as they often dont have a clue as you would have to go through your entire game securing it. Everything is hackable in a game the only possible thing to do it slow them down so you can do something about it or secure it enough so that the hacker will run out of sql injections as most Game Hackers will be people who have picked things up as they go along and have no idea how to make a sql injection or how to search for exploits. This is why you try your best to look into future injections as well as present and past ones as you will face problems in the future.

Now a hacker is evendently breaking the law by even attempting to access your databases so what i suggest is if the hacker is dumb enough to tell you it is him get his ip and hostname and report him to his host to get his internet shut off for "Using Criminal Skills".

There are many ways a hacker can hack into your files, databases even computer.... I will now give you some information on the Ways they can hack your computer.

If the hacker is truely a hacker then he/she will be able to access your computer using a well known Command Prompt, hackers can store these commands in .bat files (Viruses are made in .bat) and then hide it with a combinatio of trojans and hidden ghost files they can be attached to anything such as images, songs, even little messages over msn and sent to you without knowing. Once the file is in your computer a hacker could if he/she has one use a remote file opener(not called that im unsure of the proper name) to open the file on your computer the .bat file will then root through your computer to find the command prompt and use it to controll your computer /or do what it is programmed to do, ie, shut down computer, delete Windows 32, delete files etc...

Although hackers can do this very easily they do not because of an unofficial law by hackers called Classification Priority, which came into affect in about 1993 which is still not known by alot of hackers. This Hacker law means that you are considered a danger if you hack someone without good intensions, this will lower your rep in the hacker society and may also result in a better hacker doing a wipe out (Wiping your computer clean). Alot of hackers today do not know abou this law and do not understand the rules of privacy, although a hacker can do it they will not without good intensions.

I Sorta got muddled up there if it makes no sense then read carefully.

someone turned there mccode game into a real hacking program for people?

Link to comment
Share on other sites
Saha Newbie

Saha

Posted
Posted

Re: SQL Injections

Random i see what your saying not many people can fully secure a site on CE some can get close but unfortunately even then hackers will gain access eventually. Nyna the information i posted previously is as good of education on sql injection. I learnt that from experience talking to hackers who could hack Alot of sites in a matter of minutes. I think it was Sin, i did not post what you said infact i sort of travelled away from the actual subject, Killah thanx for correcting him ;)

I am no proffessional and i agree some of my information may of been wrong but only 1 or 2 facts as i know from talking to some of the best hackers in the Uk and my mates dad being a Network Engineer, also a Asistant Programmer for Google, that 95% of the information i posted is true, the other 5% may of changed since i last did a bit of research on Injections.

Also i feel i did not space my information out enough for it to be a bit more understandable and i think i could of explained it better.

EDIT: Nyna I also apologise if you believe the information is wrong as i think i may of posted it incorrectly in some parts as i am still a newbie.

Link to comment
Share on other sites
CtrlFreq Newbie

CtrlFreq

Posted
Posted

Re: SQL Injections

 

I also apologise if you believe the information is wrong as i think i may of posted it incorrectly in some parts as i am still a newbie.

It's not so much that you were wrong as much as it was the fact that it was ultra-paranoid, buzzword-laden, and entirely incoherent.

Link to comment
Share on other sites
  • 1 month later...
Dave Community Regular

Dave

Posted
Posted

Re: SQL Injections

Just a question: what if you ioncubed your files? zend/ioncube. I 'd go with ioncube, newer and hasn't been cracked in public yet xD

How would that effect injects?

Surely it wouldn't because when you use ioncube it gets 'decoded' on the server then the file is ran... im not certain on this but im preety sure that ioncubing a file would not help against mysql injections

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...