[TheBosss]

Hello guys,

My problem is that someone is crashing my server,i think that is doing something in the login dialog..
I got this in my server_log:

Код:

[18:22:41] Last dialog input: '; UPDATE Accounts SET Admin = '100' WHERE name = 'Rhaskos. from dialogid: 83
[18:22:41] [debug] Server crashed while executing rrs.amx
[18:22:41] [debug] AMX backtrace:
[18:22:41] [debug] #0 00000069 in Debug_Print0 (... <27 variable arguments>) at C:\Users\Computer\Desktop\RRS\pawno\include\float.inc:102
[18:22:41] [debug] #1 00000069 in Debug_Print0 (... <255852544 variable arguments>) at C:\Users\Computer\Desktop\RRS\pawno\include\float.inc:102
[18:22:41] [debug] System backtrace:

Yeah,i have sql inject protection and the dialogid 83 is the login dialog..
How can i solve this problem?

[TheBosss]

Nobody knows whats the problem

[MP2]

Looks like SQL injection. Print out the entire query. Make sure you escape the input string (mysql_real_escape_string() IIRC).

[DobbysGamertag]

Quote:

Originally Posted by MP2 Looks like SQL injection. Print out the entire query. Make sure you escape the input string (mysql_real_escape_string() IIRC).

Yus

pawn Код:

new safestring[129] //129 is max input right? o_O

mysql_real_escape_string(inputtext,safestring);

Then the query becomes:

pawn Код:

new query[124];
format(query,sizeof(query),"UPDATE `accounts` SET `Admin`='%d' WHERE `name`='%s'",safestring,Name[playerid]);
mysql_query(query);

That's how i do it anyway. Been able to avoid it so far. Add a mysql_real_escape_string on each UPDATE /INSERT query (dialogs, OnPlayerText() etc).

[MP2]

Wait.. what? Why are you setting someone's admin level to 100 when they login..? So you're telling me on the login dialog, when they enter their password, it takes their password and tries to update mySQL to set their admin level to the value of their password? Either I'm very stupid and have vastly misunderstood this, or you haven't explained it properly. I'm thinking the latter..

[TheBosss]

You didn't understand!The problem is that if someone is writing a huge password in the login dialog the server is going to crash.I escaped the string that's not the problem .So if someone types a password with a lot of characters than the server crashes and how do you see the injection has a lot of characters is crashing my server,but its nothing to do with real escape string.

[StreetGT]

Use strlen for check string lenght then set a limit

[PowerPC603]

Or hash the password.
It will not only increase the security of your player's accounts (in case they could hack your database/playerfiles).
Also the length of the password won't matter as all characters inputted will be hashed into a single limited-size string.
You won't even need to escape the hash, as hashes don't contain MySQL-sensitive characters like '

[SwisherSweet]

Are you setting the player admin level after he loggs in or before, Because if you set it before that can actually be the problem to why it crashes...

[TheBosss]

StreetGT gave me the good answer,thanks!