DemonuMu
Well-Known Member
- Joined
- May 26, 2011
- Messages
- 1,178
- Reaction score
- 235
DarkMaster fixed the problems with the security some guys show me this message
I appreciate your efforts, but this is actually still quite hackable. I haven't run this to try it first hand, but looking at the code you can see typical security risks. For example, below you don't use any parameterised queries for your INSERT/UPDATE queries.
imanager.php -
Code:
update [WebShop] set
[name]='".$_POST['newname']."',
[credits]='".$_POST['credits']."',
[default_durability]='".$_POST['itemdur']."',
[X]='".$_POST['itemx']."',
[Y]='".$_POST['itemy']."',
[luck]='".$useLuck."',
[skill]='".$useSkill."',
[hasLevel]='".$useLvl."',
[id]='".$_POST['item_id']."',
[type]='".$_POST['item_index']."',
[hasOption]='".$useOpt."',
[optionType]='".$_POST['opt']."',
[ex_type]='".$_POST['exl']."',
[category]='".$_POST['cat']."',
[stickLevel]='".$_POST['stickLevel']."',
[maxitop]='".$_POST['maxitop']."',
[maxitxl]='".$_POST['maxitxl']."',
[maxitlv]='".$_POST['maxitlv']."'
where [uid]='".$_POST['itemid']."';
";
if (!mssql_query($newquery))
print '<br>'.mssql_get_last_message();
else
print '<br>> Item edited successfully < <select style="display:none;">';
}
You can falsify $_POST data by injecting a JS script in to feed a string in as the required $_POST variables. But here you just directly feed raw $_POST data into the DB. Suddenly you'll find some top option items and wonder where they came from.
But thanks for sharing, a lot of people might want this just on their local server to make it easier to add items if they're new to administrating the game .
I appreciate your efforts, but this is actually still quite hackable. I haven't run this to try it first hand, but looking at the code you can see typical security risks. For example, below you don't use any parameterised queries for your INSERT/UPDATE queries.
imanager.php -
Code:
update [WebShop] set
[name]='".$_POST['newname']."',
[credits]='".$_POST['credits']."',
[default_durability]='".$_POST['itemdur']."',
[X]='".$_POST['itemx']."',
[Y]='".$_POST['itemy']."',
[luck]='".$useLuck."',
[skill]='".$useSkill."',
[hasLevel]='".$useLvl."',
[id]='".$_POST['item_id']."',
[type]='".$_POST['item_index']."',
[hasOption]='".$useOpt."',
[optionType]='".$_POST['opt']."',
[ex_type]='".$_POST['exl']."',
[category]='".$_POST['cat']."',
[stickLevel]='".$_POST['stickLevel']."',
[maxitop]='".$_POST['maxitop']."',
[maxitxl]='".$_POST['maxitxl']."',
[maxitlv]='".$_POST['maxitlv']."'
where [uid]='".$_POST['itemid']."';
";
if (!mssql_query($newquery))
print '<br>'.mssql_get_last_message();
else
print '<br>> Item edited successfully < <select style="display:none;">';
}
You can falsify $_POST data by injecting a JS script in to feed a string in as the required $_POST variables. But here you just directly feed raw $_POST data into the DB. Suddenly you'll find some top option items and wonder where they came from.
But thanks for sharing, a lot of people might want this just on their local server to make it easier to add items if they're new to administrating the game .