Jump to content
MakeWebGames

forum SQL injection


POG1

Recommended Posts

Guest Anonymous

Re: forum SQL injection

 

nah

id rather have an ingame forum

Why? Just image - you have the latest and greatest game... with what? one login page, one register page that's it... That's all the search engines will be able to see - so unless you really advertise a lot, you will find it hard to push the ranking of your project.

Now using an external forum that is visible to the public (and more importantly) the search engines, you automatically promote your project. People will ask questions, your staff will reply... Think of all that lovely text that the crawlers can index...

The other benefit is that people can get a better feel for your game without necessarily registering. I've seen far too many games of late with the two (usually very poor quality login/register) pages. Having a forum there that I can peruse means I'm far more likely to signup and possibly donate.

And again with a publicly accessible forum, you can slap a few adverts in there from somewhere like adtoll, and gain extra income without lifting a finger.

Were you go that route, I'd suggest SMF myself, as it has far superior facilities for linking data directly from and to your game over other forums.

Link to comment
Share on other sites

Re: forum SQL injection

Someone recently posted a small forum modification for mccodes, I think it may be for all versions.

Having a forum application is unnecessary, since you only need it to host posts, not an PM system or things like that.

Unless you want to make an addition, if it is going to be used allot.

I think Amazon Survival did the right thing when it came to them, they are using an forum application(vBulletin), outside of their main game, that way you can give help to visitors that might have a problem.

To give an answer to the original question: I don't have mccodes version 2, that has the vulnerability, so I cannot say for sure.

Although it would properly be a simple case of the input variable not being sanitised, see examples below.

The url would normally be http://www.example.com/forums.php?cat_id=1, but it can be compromised by someone, making it: http://www.example.com/forums.php?cat_id=-1 UNION ALL SELECT NULL, NULL, USER(), HOST(), userpass, login_name, NULL, NULL FROM users WHERE userid=1 --

Anyone that knows MySQL would know what that would do.

 

Here is the type of programming that would be vulnerable to such input strings.

<?php

$cat_id = $_GET['cat_id'];
$query_txt = 'SELECT * FROM `categories` WHERE `cat_id` = \'' . $cat_id . '\'';
$query = mysql_query($query);
while($data = mysql_fetch_assoc($query)) { ... }

?>

A simple fix would be just to check if the input string is numeric.

<?php

$cat_id = (preg_match('/^[0-9]+$/i', $_GET['cat_id']) ? $_GET['cat_id'] : 1); // assuming cat_id 1 exists. 
$query_txt = 'SELECT * FROM `categories` WHERE `cat_id` = \'' . $cat_id . '\'';
$query = mysql_query($query);
while($data = mysql_fetch_assoc($query)) { ... }

?>

Hope it answers your question.

Link to comment
Share on other sites

Re: forum SQL injection

 

nah

id rather have an ingame forum

Why? Just image - you have the latest and greatest game... with what? one login page, one register page that's it... That's all the search engines will be able to see - so unless you really advertise a lot, you will find it hard to push the ranking of your project.

Now using an external forum that is visible to the public (and more importantly) the search engines, you automatically promote your project. People will ask questions, your staff will reply... Think of all that lovely text that the crawlers can index...

The other benefit is that people can get a better feel for your game without necessarily registering. I've seen far too many games of late with the two (usually very poor quality login/register) pages. Having a forum there that I can peruse means I'm far more likely to signup and possibly donate.

And again with a publicly accessible forum, you can slap a few adverts in there from somewhere like adtoll, and gain extra income without lifting a finger.

Were you go that route, I'd suggest SMF myself, as it has far superior facilities for linking data directly from and to your game over other forums.

thats a good point raised purely for the SEO purposes. ima gonna look for a cool forum engine now :P

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...