1. SA-MP Forums Archive
  2. SA-MP Server
  3. Server Support

Threaded Mode
SQL INJection
Nin9r
Huge Clucker
****
Posts: 331
Threads: 84
Joined: Feb 2015
Reputation: 0
#1

03.06.2016, 22:58
How to be protect against sql injection?

I am using savedetails to save all dates from players on disconnect. Do i have to escape all the variables before that? When i use INSERT in some commands, i escape there the values. How to detect which command or query is wrong?
Find
Reply
SickAttack
High-roller
*****
Posts: 4,759
Threads: 33
Joined: Dec 2013
Reputation: 0
#2

03.06.2016, 23:04
Escape user inputs (strings) with the %q specifier in "format".
Find
Reply
Nin9r
Huge Clucker
****
Posts: 331
Threads: 84
Joined: Feb 2015
Reputation: 0
#3

05.06.2016, 09:53
( Последний раз редактировалось Nin9r; 05.06.2016 в 10:26. )
I asked you if i have to escape all the strings, for example this:

Код HTML:
format(str, sizeof(str), "Car Color ID 1?", price);
			    			ShowPlayerDialog(playerid, 14511, DIALOG_STYLE_INPUT, "Paint Car", str, "Yes", "No");
				}
and dialogid
Код HTML:
if(dialogid == 14511)
 	{
 	    if(response)
 	    {
 	        if(!isnull(inputtext))
 	        {
 	            new points = strval(inputtext);
 	            new str[128];
					if(points >= 0)
					{
							col1[playerid] = points;
mysql_real_escape_string(col1[playerid], col1[playerid]);
							format(saveQuery, sizeof(saveQuery), "UPDATE playeraccounts SET playerCarColour1 = '%d'  WHERE playerID = '%d'",col1[playerid], PlayerData[playerid][pInternalID]);
						mysql_tquery(handle,saveQuery);
					}
	 	   }
          }
  }
It must be escaped?


Do you wanna say that i can use %e like

Код HTML:
format(saveQuery, sizeof(saveQuery), "UPDATE playeraccounts SET playerCarKM = '%e' WHERE playerID = '%d'",PlayerData[playerid][pCarKM],PlayerData[playerid][pInternalID]);
	mysql_tquery(handle,saveQuery);
instead %d, %f (float ) or any type?


Please make me an example.
PS: I searched INPUTTEXT on the entire GM and all the strings are escaped. How can I see where's the problem?
Find
Reply
Spmn
Gangsta
****
Posts: 513
Threads: 4
Joined: Jun 2015
Reputation: 0
#4

05.06.2016, 10:46
Escape strings only (%s -> %e or %q)
Find
Reply
Konstantinos
Spam Machine
*****
Posts: 11,827
Threads: 33
Joined: Dec 2011
Reputation: 0
#5

05.06.2016, 10:54
Quote:
Originally Posted by Nin9r
Посмотреть сообщение
It must be escaped?

Do you wanna say that i can use %e like

Код HTML:
format(saveQuery, sizeof(saveQuery), "UPDATE playeraccounts SET playerCarKM = '%e' WHERE playerID = '%d'",PlayerData[playerid][pCarKM],PlayerData[playerid][pInternalID]);
	mysql_tquery(handle,saveQuery);
instead %d, %f (float ) or any type?

PS: I searched INPUTTEXT on the entire GM and all the strings are escaped. How can I see where's the problem?
Every string given by a user MUST be escaped before executing a query with it. Either be inputtext from a dialog or params from a command.

No, you cannot use it like that. Strings are for string, integers for integers and so on.

What is the problem in the first place, were you a victim of SQL Injection?
Find
Reply
Nin9r
Huge Clucker
****
Posts: 331
Threads: 84
Joined: Feb 2015
Reputation: 0
#6

05.06.2016, 11:10
Yes. I am already. Someone is entering on my server. I don't know how but he is admin everytime and i don't know how knows the field from database for admin. I had 'pTurbo' and i guess that he knew it if he was adding some values on it.( i have not any hidden cmd because is my gm ).

1. He can see all the password for accounts.. how ?
2. The values like pLevel = 1; must be esaped if is a dialog to set it?
3. A float must be escaped?
4. How can I see the cmd or dialog where he is injecting?
5. Thank you!
Find
Reply
Konstantinos
Spam Machine
*****
Posts: 11,827
Threads: 33
Joined: Dec 2011
Reputation: 0
#7

05.06.2016, 11:19
Are you sure that is the actual problem and not some "hole" in your script? Like not resetting variables or many other different reasons.

1. If you did not hash the passwords (+ adding salt for extra security) is your problem - you shouldn't save passwords as plain text.
2-3. Integers and Floats do not matter, only strings should be escaped.
4. Not sure what exactly you mean.

Other than that, you should restrict the access for the queries for the user you are connecting to SQL. Not allowing DROP and such unless the user is root (you shouldn't connect with root in mysql_connect/db_connect).
Find
Reply
Nin9r
Huge Clucker
****
Posts: 331
Threads: 84
Joined: Feb 2015
Reputation: 0
#8

05.06.2016, 11:22
Ok but how did he guess that pTurbo was the field for admin level?

4. I want to see in server_logs what command he used when hacked the server.
Find
Reply
Noris
Banned
Posts: 156
Threads: 25
Joined: May 2016
#9

05.06.2016, 15:09
What is sql injection?
Find
Reply
Nin9r
Huge Clucker
****
Posts: 331
Threads: 84
Joined: Feb 2015
Reputation: 0
#10

05.06.2016, 15:24
Quote:
Originally Posted by SickAttack
Посмотреть сообщение
Escape user inputs (strings) with the %q specifier in "format".
give me an example please. Do i have to escape it?
Код HTML:
new amount = strval(inputtext);
PlayerData[userID][pAmmoWorks] = amount;
                    new saveQuery[256];
					format(saveQuery, sizeof(saveQuery), "UPDATE playeraccounts SET AmmoWorks = '%d' WHERE playerID = '%d'",PlayerData[userID][pAmmoWorks],PlayerData[userID][pInternalID]);
							mysql_tquery(handle,saveQuery);
do I have to escape it or just when i use %s?
Find
Reply
« Next Oldest | Next Newest »


Forum Jump:


Users browsing this thread: 2 Guest(s)
  1. SA-MP Forums Archive
  2. SA-MP Server
  3. Server Support