Just thought i would share that with everyone. but it did show me one flaw that I will work on by adding specific characters to the blacklist of banned user names.
Truncate
Truncate
Today was the first day in about a month I looked into one of my games DB's for the users. I noticed several times that a user tried to create a user account and tried to Truncate the users table. I almost laughed so hard because of all these different tries. I guess I did my job quite well.
Just thought i would share that with everyone. but it did show me one flaw that I will work on by adding specific characters to the blacklist of banned user names.
Just thought i would share that with everyone. but it did show me one flaw that I will work on by adding specific characters to the blacklist of banned user names.
Laguages:
PHP, MYSQL, (X)HTML, HTML5, JQuery, CSS 3.0,
C, C#, C++, Python, Pascal, Perl, Ruby, Turing
Software:
Adobe MC CS4, Visual Studio 2008, Notepad++,
NetBeans IDE, WAMPSERVER
Browsers:
Internet Explorer, Firefox, Opera, Safari, Chrome
(Always have latest patches for browsers.)
Free time:
...
PHP, MYSQL, (X)HTML, HTML5, JQuery, CSS 3.0,
C, C#, C++, Python, Pascal, Perl, Ruby, Turing
Software:
Adobe MC CS4, Visual Studio 2008, Notepad++,
NetBeans IDE, WAMPSERVER
Browsers:
Internet Explorer, Firefox, Opera, Safari, Chrome
(Always have latest patches for browsers.)
Free time:
...
Re: Truncate
Hm, this is one issue I've not heard about. Could you share some more details on how to protect against it, how to recognize it etc?
Re: Truncate
The term is SQLinjection.
http://en.wikipedia.org/wiki/SQL_injection
http://unixwiz.net/techtips/sql-injection.html
that is probably your biggest asset against sql-injection.
edit -
If you ever have all your databases delete randomly it is probably that you didn't use mysql_real_escape_string or didn't serialize your user inputted variables properly, which allowed them to access your database directly.
http://en.wikipedia.org/wiki/SQL_injection
http://unixwiz.net/techtips/sql-injection.html
Code: Select all
mysql_real_escape_string()that is probably your biggest asset against sql-injection.
edit -
If you ever have all your databases delete randomly it is probably that you didn't use mysql_real_escape_string or didn't serialize your user inputted variables properly, which allowed them to access your database directly.
Last edited by jpoisson on Sat Feb 20, 2010 12:57 pm, edited 1 time in total.
Re: Truncate
Ah ok, then I know what you mean.
Re: Truncate
yea, I realized i was really descriptive in my original post, but in my defense I was tired and couldn't remember the term SQLInjection... *Looks at his feet in disappointment* 
-
hallsofvallhalla
- Site Admin
- Posts: 12026
- Joined: Wed Apr 22, 2009 11:29 pm
Re: Truncate
ah thanks for posting this. Yes little 12 year old dweebs start hacking this way. Its a poor excuse for hacking but they think they are kewl 
-
Jackolantern
- Posts: 10891
- Joined: Wed Jul 01, 2009 11:00 pm
Re: Truncate
We often think of people trying to drop your tables, but there are much less noticeable problems that players can use SQL injection for. This page in the PHP manual outlines the problem near the bottom of the page in the examples. Basically, the user adds SQL code to skip the password check, so they can log in to anyone's account without it 
The indelible lord of tl;dr
Re: Truncate
So how could you tell he was doing this?
And how did your name change colors?
And how did your name change colors?
-
hallsofvallhalla
- Site Admin
- Posts: 12026
- Joined: Wed Apr 22, 2009 11:29 pm
Re: Truncate
well i Have a wiki I setup ages ago for this site that I have done nothing with. Jp asked to work with it so I made him part of the wiki group. I need to change that color, its too bright but anyways he is going to work with the wiki for the site.
but anyways he is going to work with the wiki for the site.Re: Truncate
Ah, cool - not sure it's too bright, but it is almost invisible sometimes... depending on the background