Jump to content
  • 0

Problema sql

wifi123

Asked by wifi123,

 Share

Question

wifi123 Enthusiast

wifi123

Posted
Posted

Nick: wifi123

Problema:Salut SA:MP.ro am si eu o problema cu baza de date sql , recent am primit sql injection de la cineva si mi-a sters toate conturile de pe server , am incercat sa bag protectie anti sql injection cu dar in zadar ,

Erori / warnings:-

Lini/script: Mai jos

Ai incercat sa rezolvi singur ?:Da , dar in zadar

Acest cod l-am bagat in gm cu gandul ca ma v-a proteja dar nimic...

[pawn]stock DB_Escape(text[])

{

new

ret[MAX_INI_ENTRY_TEXT * 2],

ch,

i,

j;

while ((ch = text[i++]) && j < sizeof (ret))

{

if (ch == '\'')

{

if (j < sizeof (ret) - 2)

{

ret[j++] = '\'';

ret[j++] = '\'';

}

}

else if (j < sizeof (ret))

{

ret[j++] = ch;

}

else

{

j++;

}

}

ret[sizeof (ret) - 1] = '\0';

return ret;

}[/pawn]

De exemplu , am aceste lini

[pawn]stock ShowTop(playerid, stats[], what[], limit = MAX_TOP_LIMIT)

{

//--------------------------------------------------------------------------

new Speed = GetTickCount(), DialString[3_000], String[2][128],

Query[2][256], DBResult:Result1, DB:g_dbKeptAlive, what2[30];

    g_dbKeptAlive = db_open("Accounts.db");

//--------------------------------------------------------------------------

format(Query[0], 256, "SELECT `name` FROM `users` ORDER BY `%s` *1 DESC limit %d", stats, limit);

Result1 = db_query(g_dbKeptAlive, Query[0]);

//--------------------------------------------------------------------------

if(!strcmp(what, "Kills"))              what2 = "Kills";

else if(!strcmp(what, "Hours")) what2 = "Hours";

else if(!strcmp(what, "SPoints")) what2 = "Stunt Points";

else if(!strcmp(what, "DriftP")) what2 = "Drift Points";

else if(!strcmp(what, "RaceP")) what2 = "Race Points";

//--------------------------------------------------------------------------

format(DialString, sizeof DialString, "", what2);

for(new Qr; Qr < db_num_rows(Result1); Qr++)

{

db_get_field(Result1, 0, String[0], 128);

format(Query[1], 256, "SELECT `%s` FROM `users` WHERE `Name` = '%s'", stats, String[0]);

new DBResult:Result2 = db_query(g_dbKeptAlive, Query[1]);

db_get_field(Result2, 0, String[1], 128);

//----------------------------------------------------------------------

if(!strcmp(stats, "Kills"))            format(DialString, sizeof DialString,

"%s\n{00FF00}%d. {CCCCCC}%s: {FF0000}%s Kills", DialString, Qr+1, String[0], String[1]/*FormatNumber(strval(String[1]))*/);

//----------------------------------------------------------------------

else if(!strcmp(stats, "Hours")) format(DialString, sizeof DialString,

"%s\n{00FF00}%d. {CCCCCC}%s: {FF0000}%s Hours", DialString, Qr+1, String[0], String[1]/*FormatNumber(strval(String[1]))*/);

//----------------------------------------------------------------------

else if(!strcmp(stats, "SPoints")) format(DialString, sizeof DialString,

"%s\n{00FF00}%d. {CCCCCC}%s: {FF0000}%s Stunt Points", DialString, Qr+1, String[0], String[1]/*FormatNumber(strval(String[1]))*/);

//----------------------------------------------------------------------

else if(!strcmp(stats, "DriftP")) format(DialString, sizeof DialString,

"%s\n{00FF00}%d. {CCCCCC}%s: {FF0000}%s Drift Points", DialString, Qr+1, String[0], String[1]/*FormatNumber(strval(String[1]))*/);

//----------------------------------------------------------------------

else if(!strcmp(stats, "RaceP")) format(DialString, sizeof DialString,

"%s\n{00FF00}%d. {CCCCCC}%s: {FF0000}%s Race Points", DialString, Qr+1, String[0], String[1]/*FormatNumber(strval(String[1]))*/);

//----------------------------------------------------------------------

db_next_row(Result1);

db_free_result(Result2);

}

db_free_result(Result1);

    db_close(g_dbKeptAlive);

format(DialString, sizeof DialString, "%s\n\n{CCFF66}The players with most points will apear here!\n{CCFF66}It is a honor to apear here!", DialString, GetTickCount() - Speed);

ShowPlayerDialog( playerid, 123, DIALOG_STYLE_MSGBOX, "{CCFF66}Top 10 players, DialString, "Close", "");

return 1;

}[/pawn]

cum pot face sa fie protejat de sql injection ?

Link to comment
Share on other sites

4 answers to this question

Recommended Posts

WopsS Grand Master

WopsS

Posted
Posted

Nici un plugin , este bagat in gm de forma aceasta Database = db_open("Accounts.db");

Ohohoho! Nu e bine, in primul rand pentru ca este vechi ... In al doilea rand, n-ai parola la el, asa-i?

E gen un SQL Compact?

Incearca sa treci la MySQL R38, este mai sigur. Ai SQL escape acolo, aici sincer nu te pot ajuta, sincer, si nimeni nu cred ca stie, pentru ca este vechi... In fine, acolo ai un SQL escape, si iti poate manipula baza de date cum vrea el.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to question listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. For more details you can also review our Terms of Use and Privacy Policy.