SQL INJection - Printable Version
+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Server (https://sampforum.blast.hk/forumdisplay.php?fid=6)
+--- Forum: Server Support (https://sampforum.blast.hk/forumdisplay.php?fid=19)
+--- Thread: SQL INJection (/showthread.php?tid=608678)
+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Server (https://sampforum.blast.hk/forumdisplay.php?fid=6)
+--- Forum: Server Support (https://sampforum.blast.hk/forumdisplay.php?fid=19)
+--- Thread: SQL INJection (/showthread.php?tid=608678)
SQL INJection - Nin9r - 03.06.2016
How to be protect against sql injection?
I am using savedetails to save all dates from players on disconnect. Do i have to escape all the variables before that? When i use INSERT in some commands, i escape there the values. How to detect which command or query is wrong?
Re: SQL INJection - SickAttack - 03.06.2016
Escape user inputs (strings) with the %q specifier in "format".
Re: SQL INJection - Nin9r - 05.06.2016
I asked you if i have to escape all the strings, for example this:
Код HTML:
format(str, sizeof(str), "Car Color ID 1?", price); ShowPlayerDialog(playerid, 14511, DIALOG_STYLE_INPUT, "Paint Car", str, "Yes", "No"); }
Код HTML:
if(dialogid == 14511)
{
if(response)
{
if(!isnull(inputtext))
{
new points = strval(inputtext);
new str[128];
if(points >= 0)
{
col1[playerid] = points;
mysql_real_escape_string(col1[playerid], col1[playerid]);
format(saveQuery, sizeof(saveQuery), "UPDATE playeraccounts SET playerCarColour1 = '%d' WHERE playerID = '%d'",col1[playerid], PlayerData[playerid][pInternalID]);
mysql_tquery(handle,saveQuery);
}
}
}
}
Do you wanna say that i can use %e like
Код HTML:
format(saveQuery, sizeof(saveQuery), "UPDATE playeraccounts SET playerCarKM = '%e' WHERE playerID = '%d'",PlayerData[playerid][pCarKM],PlayerData[playerid][pInternalID]); mysql_tquery(handle,saveQuery);
Please make me an example.
PS: I searched INPUTTEXT on the entire GM and all the strings are escaped. How can I see where's the problem?
Re: SQL INJection - Spmn - 05.06.2016
Escape strings only (%s -> %e or %q)
Re: SQL INJection - Konstantinos - 05.06.2016
Quote:
|
Originally Posted by Nin9r
 It must be escaped?
Do you wanna say that i can use %e like Код HTML:
format(saveQuery, sizeof(saveQuery), "UPDATE playeraccounts SET playerCarKM = '%e' WHERE playerID = '%d'",PlayerData[playerid][pCarKM],PlayerData[playerid][pInternalID]); mysql_tquery(handle,saveQuery); PS: I searched INPUTTEXT on the entire GM and all the strings are escaped. How can I see where's the problem? |
No, you cannot use it like that. Strings are for string, integers for integers and so on.
What is the problem in the first place, were you a victim of SQL Injection?
Re: SQL INJection - Nin9r - 05.06.2016
Yes. I am already. Someone is entering on my server. I don't know how but he is admin everytime and i don't know how knows the field from database for admin. I had 'pTurbo' and i guess that he knew it if he was adding some values on it.( i have not any hidden cmd because is my gm ).
1. He can see all the password for accounts.. how ?
2. The values like pLevel = 1; must be esaped if is a dialog to set it?
3. A float must be escaped?
4. How can I see the cmd or dialog where he is injecting?
5. Thank you!
Re: SQL INJection - Konstantinos - 05.06.2016
Are you sure that is the actual problem and not some "hole" in your script? Like not resetting variables or many other different reasons.
1. If you did not hash the passwords (+ adding salt for extra security) is your problem - you shouldn't save passwords as plain text.
2-3. Integers and Floats do not matter, only strings should be escaped.
4. Not sure what exactly you mean.
Other than that, you should restrict the access for the queries for the user you are connecting to SQL. Not allowing DROP and such unless the user is root (you shouldn't connect with root in mysql_connect/db_connect).
Re: SQL INJection - Nin9r - 05.06.2016
Ok but how did he guess that pTurbo was the field for admin level?
4. I want to see in server_logs what command he used when hacked the server.
Re: SQL INJection - Noris - 05.06.2016
What is sql injection?
Re: SQL INJection - Nin9r - 05.06.2016
Quote:
|
Originally Posted by SickAttack
Escape user inputs (strings) with the %q specifier in "format".
|
Код HTML:
new amount = strval(inputtext);
PlayerData[userID][pAmmoWorks] = amount;
new saveQuery[256];
format(saveQuery, sizeof(saveQuery), "UPDATE playeraccounts SET AmmoWorks = '%d' WHERE playerID = '%d'",PlayerData[userID][pAmmoWorks],PlayerData[userID][pInternalID]);
mysql_tquery(handle,saveQuery);