Problema sql

[wifi123]

Nick: wifi123

Problema:Salut SA:MP.ro am si eu o problema cu baza de date sql , recent am primit sql injection de la cineva si mi-a sters toate conturile de pe server , am incercat sa bag protectie anti sql injection cu dar in zadar ,

Erori / warnings:-

Lini/script: Mai jos

Ai incercat sa rezolvi singur ?:Da , dar in zadar

Acest cod l-am bagat in gm cu gandul ca ma v-a proteja dar nimic...

[pawn]stock DB_Escape(text[])

{

new

ret[MAX_INI_ENTRY_TEXT * 2],

ch,

i,

j;

while ((ch = text[i++]) && j < sizeof (ret))

{

if (ch == '\'')

{

if (j < sizeof (ret) - 2)

{

ret[j++] = '\'';

ret[j++] = '\'';

}

}

else if (j < sizeof (ret))

{

ret[j++] = ch;

}

else

{

j++;

}

}

ret[sizeof (ret) - 1] = '\0';

return ret;

}[/pawn]

De exemplu , am aceste lini

[pawn]stock ShowTop(playerid, stats[], what[], limit = MAX_TOP_LIMIT)

{

//--------------------------------------------------------------------------

new Speed = GetTickCount(), DialString[3_000], String[2][128],

Query[2][256], DBResult:Result1, DB:g_dbKeptAlive, what2[30];

    g_dbKeptAlive = db_open("Accounts.db");

//--------------------------------------------------------------------------

format(Query[0], 256, "SELECT `name` FROM `users` ORDER BY `%s` *1 DESC limit %d", stats, limit);

Result1 = db_query(g_dbKeptAlive, Query[0]);

//--------------------------------------------------------------------------

if(!strcmp(what, "Kills"))              what2 = "Kills";

else if(!strcmp(what, "Hours")) what2 = "Hours";

else if(!strcmp(what, "SPoints")) what2 = "Stunt Points";

else if(!strcmp(what, "DriftP")) what2 = "Drift Points";

else if(!strcmp(what, "RaceP")) what2 = "Race Points";

//--------------------------------------------------------------------------

format(DialString, sizeof DialString, "", what2);

for(new Qr; Qr < db_num_rows(Result1); Qr++)

{

db_get_field(Result1, 0, String[0], 128);

format(Query[1], 256, "SELECT `%s` FROM `users` WHERE `Name` = '%s'", stats, String[0]);

new DBResult:Result2 = db_query(g_dbKeptAlive, Query[1]);

db_get_field(Result2, 0, String[1], 128);

//----------------------------------------------------------------------

if(!strcmp(stats, "Kills"))            format(DialString, sizeof DialString,

"%s\n{00FF00}%d. {CCCCCC}%s: {FF0000}%s Kills", DialString, Qr+1, String[0], String[1]/*FormatNumber(strval(String[1]))*/);

//----------------------------------------------------------------------

else if(!strcmp(stats, "Hours")) format(DialString, sizeof DialString,

"%s\n{00FF00}%d. {CCCCCC}%s: {FF0000}%s Hours", DialString, Qr+1, String[0], String[1]/*FormatNumber(strval(String[1]))*/);

//----------------------------------------------------------------------

else if(!strcmp(stats, "SPoints")) format(DialString, sizeof DialString,

"%s\n{00FF00}%d. {CCCCCC}%s: {FF0000}%s Stunt Points", DialString, Qr+1, String[0], String[1]/*FormatNumber(strval(String[1]))*/);

//----------------------------------------------------------------------

else if(!strcmp(stats, "DriftP")) format(DialString, sizeof DialString,

"%s\n{00FF00}%d. {CCCCCC}%s: {FF0000}%s Drift Points", DialString, Qr+1, String[0], String[1]/*FormatNumber(strval(String[1]))*/);

//----------------------------------------------------------------------

else if(!strcmp(stats, "RaceP")) format(DialString, sizeof DialString,

"%s\n{00FF00}%d. {CCCCCC}%s: {FF0000}%s Race Points", DialString, Qr+1, String[0], String[1]/*FormatNumber(strval(String[1]))*/);

//----------------------------------------------------------------------

db_next_row(Result1);

db_free_result(Result2);

}

db_free_result(Result1);

    db_close(g_dbKeptAlive);

format(DialString, sizeof DialString, "%s\n\n{CCFF66}The players with most points will apear here!\n{CCFF66}It is a honor to apear here!", DialString, GetTickCount() - Speed);

ShowPlayerDialog( playerid, 123, DIALOG_STYLE_MSGBOX, "{CCFF66}Top 10 players, DialString, "Close", "");

return 1;

}[/pawn]

cum pot face sa fie protejat de sql injection ?

[WopsS]

In primul rand ge SQL plugin folosesti?

[wifi123]

Nici un plugin , este bagat in gm de forma aceasta Database = db_open("Accounts.db");

[WopsS]

Nici un plugin , este bagat in gm de forma aceasta Database = db_open("Accounts.db");

Ohohoho! Nu e bine, in primul rand pentru ca este vechi ... In al doilea rand, n-ai parola la el, asa-i?

E gen un SQL Compact?

Incearca sa treci la MySQL R38, este mai sigur. Ai SQL escape acolo, aici sincer nu te pot ajuta, sincer, si nimeni nu cred ca stie, pentru ca este vechi... In fine, acolo ai un SQL escape, si iti poate manipula baza de date cum vrea el.

[Mafia.]

Au trecut  24 de ore de cand ti s-a raspuns la cerere asa ca

Topic Closed + Solved !