SQL INJection
#1

How to be protect against sql injection?

I am using savedetails to save all dates from players on disconnect. Do i have to escape all the variables before that? When i use INSERT in some commands, i escape there the values. How to detect which command or query is wrong?
Reply
#2

Escape user inputs (strings) with the %q specifier in "format".
Reply
#3

I asked you if i have to escape all the strings, for example this:

Код HTML:
format(str, sizeof(str), "Car Color ID 1?", price);
			    			ShowPlayerDialog(playerid, 14511, DIALOG_STYLE_INPUT, "Paint Car", str, "Yes", "No");
				}
and dialogid
Код HTML:
if(dialogid == 14511)
 	{
 	    if(response)
 	    {
 	        if(!isnull(inputtext))
 	        {
 	            new points = strval(inputtext);
 	            new str[128];
					if(points >= 0)
					{
							col1[playerid] = points;
mysql_real_escape_string(col1[playerid], col1[playerid]);
							format(saveQuery, sizeof(saveQuery), "UPDATE playeraccounts SET playerCarColour1 = '%d'  WHERE playerID = '%d'",col1[playerid], PlayerData[playerid][pInternalID]);
						mysql_tquery(handle,saveQuery);
					}
	 	   }
          }
  }
It must be escaped?


Do you wanna say that i can use %e like

Код HTML:
format(saveQuery, sizeof(saveQuery), "UPDATE playeraccounts SET playerCarKM = '%e' WHERE playerID = '%d'",PlayerData[playerid][pCarKM],PlayerData[playerid][pInternalID]);
	mysql_tquery(handle,saveQuery);
instead %d, %f (float ) or any type?


Please make me an example.
PS: I searched INPUTTEXT on the entire GM and all the strings are escaped. How can I see where's the problem?
Reply
#4

Escape strings only (%s -> %e or %q)
Reply
#5

Quote:
Originally Posted by Nin9r
Посмотреть сообщение
It must be escaped?

Do you wanna say that i can use %e like

Код HTML:
format(saveQuery, sizeof(saveQuery), "UPDATE playeraccounts SET playerCarKM = '%e' WHERE playerID = '%d'",PlayerData[playerid][pCarKM],PlayerData[playerid][pInternalID]);
	mysql_tquery(handle,saveQuery);
instead %d, %f (float ) or any type?

PS: I searched INPUTTEXT on the entire GM and all the strings are escaped. How can I see where's the problem?
Every string given by a user MUST be escaped before executing a query with it. Either be inputtext from a dialog or params from a command.

No, you cannot use it like that. Strings are for string, integers for integers and so on.

What is the problem in the first place, were you a victim of SQL Injection?
Reply
#6

Yes. I am already. Someone is entering on my server. I don't know how but he is admin everytime and i don't know how knows the field from database for admin. I had 'pTurbo' and i guess that he knew it if he was adding some values on it.( i have not any hidden cmd because is my gm ).

1. He can see all the password for accounts.. how ?
2. The values like pLevel = 1; must be esaped if is a dialog to set it?
3. A float must be escaped?
4. How can I see the cmd or dialog where he is injecting?
5. Thank you!
Reply
#7

Are you sure that is the actual problem and not some "hole" in your script? Like not resetting variables or many other different reasons.

1. If you did not hash the passwords (+ adding salt for extra security) is your problem - you shouldn't save passwords as plain text.
2-3. Integers and Floats do not matter, only strings should be escaped.
4. Not sure what exactly you mean.

Other than that, you should restrict the access for the queries for the user you are connecting to SQL. Not allowing DROP and such unless the user is root (you shouldn't connect with root in mysql_connect/db_connect).
Reply
#8

Ok but how did he guess that pTurbo was the field for admin level?

4. I want to see in server_logs what command he used when hacked the server.
Reply
#9

What is sql injection?
Reply
#10

Quote:
Originally Posted by SickAttack
Посмотреть сообщение
Escape user inputs (strings) with the %q specifier in "format".
give me an example please. Do i have to escape it?
Код HTML:
new amount = strval(inputtext);
PlayerData[userID][pAmmoWorks] = amount;
                    new saveQuery[256];
					format(saveQuery, sizeof(saveQuery), "UPDATE playeraccounts SET AmmoWorks = '%d' WHERE playerID = '%d'",PlayerData[userID][pAmmoWorks],PlayerData[userID][pInternalID]);
							mysql_tquery(handle,saveQuery);
do I have to escape it or just when i use %s?
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)