Jump to content
MakeWebGames

Mysql injection that actually works


jimmytubbs

Recommended Posts

Re: Mysql injection that actually works

The thing what a lot of people don't get is the forum inst the only place for a hacker they can obtain your password and user name from near enough any input so just putting a few lines in header isn't going to protect your whole game you need to go through pretty much all of it, would like to to you how to do this but I'm not 100% sure on sql protection

Link to comment
Share on other sites

Re: Mysql injection that actually works

 

<?
function stripslashes_gpc( &$var ){
while( list( $key, $value ) = each( $var ) ){
	if( is_array( $var[$key] ) ){
	stripslashes_gpc( $var[$key] );
	}
	else
	{
	$var[$key] = stripslashes( $value );
	}
}
reset( $var );
}
if( count( $_GET ) > 0 ){stripslashes_gpc( $_GET );
}
if( count( $_POST ) > 0 ){stripslashes_gpc( $_POST );
}
if( count( $_COOKIE ) > 0 ){stripslashes_gpc( $_COOKIE );
}
?>

 

Not sure if it works, But a friend told me, Im not very good at SQL Protecting :/

Link to comment
Share on other sites

Re: Mysql injection that actually works

Lets put it this way

Any variable text or numerical can be abused.

The script is well known.

If you have a variable

<?php

$x
?>

 

All i have to do in the injection point is maybe feed it over the url as

<?php

page.php?x=9999999
?>

Simple to fix. verify data.

How about form data?

Check it before updating that its valid. Some plugins allow you to change html properties and data before a form is submitted.

 

Example.

<?php

<input type="hidden" name="school" value="1">
?>

 

Hell it really isn't hidden at all. I can change it to 9000000 if I wanted to and submit it. But are you verifying that its valid?

 

There is more to things then the eye lets you see . Google is your friend and we are here to help point you in the right direction. Giving code away is not what I and most others will not do. However pointing you in the direction to learn and how to better secure things we will.

If you have tried and tried and just cant get it. paste your code we will run it over in our spare time and respond back if we are not to busy.

But note we wont debug an entire script for you.

TJ

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...