| View previous topic - View next topic |
| Author |
Message |
tcaudilllg
Dragonmaster
Joined: 20 Jun 2002
Posts: 1731
Location: Cedar Bluff, VA
|
 Posted: Tue Jun 23, 2009 12:31 pm Post subject: Script Kiddy hacked the rpg |
[quote] |
|
|
Some guy calling himself powermanbg, saying he's from Bulgaria.
|
|
| Back to top |
|
 |
Ninkazu
Demon Hunter
Joined: 08 Aug 2002
Posts: 945
Location: Location:
|
| Posted: Sun Jun 28, 2009 2:35 pm Post subject: |
[quote] |
|
|
What RPG and why do we care?
|
|
| Back to top |
|
|
tcaudilllg
Dragonmaster
Joined: 20 Jun 2002
Posts: 1731
Location: Cedar Bluff, VA
|
| Posted: Mon Jun 29, 2009 4:54 am Post subject: |
[quote] |
|
The socionics RPG.
Does anyone have advice to prevent SQL injections via HTTP?
|
|
| Back to top |
|
|
Hajo
Demon Hunter
Joined: 30 Sep 2003
Posts: 779
Location: Between chair and keyboard.
|
| Posted: Mon Jun 29, 2009 8:13 am Post subject: |
[quote] |
|
http shouldn't be the problem. It's a matter of how you assemble your SQLs and how you check your input values.
Unless you want to restructure your queries, a quick fix would be to check for SQL keywords (and maybe table names from your DB) in input and reject such input. You also may want to disallow ?, %, ' and such characters that are meaningful to a SQL interpreter.
|
|
| Back to top |
|
|
Flawe
Slightly Deformed Faerie Princess
Joined: 29 Nov 2007
Posts: 32
Location: London
|
|
| Back to top |
|
|
Rainer Deyke
Demon Hunter
Joined: 05 Jun 2002
Posts: 672
|
| Posted: Mon Jun 29, 2009 9:32 am Post subject: |
[quote] |
|
| Hajo wrote: | | Unless you want to restructure your queries, a quick fix would be to check for SQL keywords (and maybe table names from your DB) in input and reject such input. You also may want to disallow ?, %, ' and such characters that are meaningful to a SQL interpreter. |
Pardon me for saying so, but that's just stupid, even as a quick fix. String like "Robert'); DROP TABLE Students; --" are perfectly valid, and your program should handle them like any other string. In fact, I recommend putting such strings in your unit tests to make sure they are handled correctly.
Correctly handing all string (and preventing injection attacks in the process) is actually quite trivial. Simply make sure all your SQL queries are hardcoded in your program. Never put user input directly into a query, and never use a constructed string as a query. Use parametrized queries instead.
|
|
| Back to top |
|
|
Verious
Mage
Joined: 06 Jan 2004
Posts: 409
Location: Online
|
| Posted: Mon Jun 29, 2009 7:16 pm Post subject: |
[quote] |
|
|
I recommend switching to parameterized queries instead of using ad hoc queries.
|
|
| Back to top |
|
|
tcaudilllg
Dragonmaster
Joined: 20 Jun 2002
Posts: 1731
Location: Cedar Bluff, VA
|
| Posted: Tue Jun 30, 2009 10:46 am Post subject: |
[quote] |
|
| Verious wrote: | | I recommend switching to parameterized queries instead of using ad hoc queries. |
Explain.
|
|
| Back to top |
|
|
Ninkazu
Demon Hunter
Joined: 08 Aug 2002
Posts: 945
Location: Location:
|
|
| Back to top |
|
|
Flawe
Slightly Deformed Faerie Princess
Joined: 29 Nov 2007
Posts: 32
Location: London
|
|
| Back to top |
|
|
RedSlash
Mage
Joined: 12 May 2005
Posts: 331
|
|
| Back to top |
|
|
tcaudilllg
Dragonmaster
Joined: 20 Jun 2002
Posts: 1731
Location: Cedar Bluff, VA
|
| Posted: Tue Jun 30, 2009 9:55 pm Post subject: |
[quote] |
|
| RedSlash wrote: | | http://www.php.net/mysql_real_escape_string |
Thanks for that.
|
|
| Back to top |
|
|
