Jump to content
  • 0

SQL Injection

ays297

Asked by ays297,

 Share

Question

ays297 Poring

ays297

Posted
Posted

is it possible for this part of this script to get an SQL injection?

input @upper_hg$;
if(query_sql("SELECT `view` from `item_db` where `equip_locations` = 256 and `id` ='"+@upper_hg$+"'") == 0)
{ mes "No headgear was found";
close; }
else {
query_sql "SELECT `view` from `item_db` where `equip_locations` = 256 and `id` ='"+@upper_hg$+"'", ouchoice;
query_sql "SELECT `name_japanese` from `item_db` where `equip_locations` = 256 and `view` ='"+ouchoice+"'", UFS$;

5 answers to this question

Recommended Posts

AnnieRuru Drops

AnnieRuru

Posted
Posted

yeah its possible

its only impossible to get sql injection IF ...

1. input .@string_var$; query_sql ".... where data = '"+ escape_sql(.@string_var$) +"'";

2. input .@int_var; query_sql ".... where data = "+ .@int_var;

all other methods can get sql injection

ays297 Poring

ays297

Posted
  • Author
Posted

Oh, then by just using 2. my script will be good right? Like safe from SQL Injection? And, yeah, I think I should do that because the script is not really asking for a string right?

AnnieRuru Drops

AnnieRuru

Posted
Posted (edited) 

prontera,154,183,5	script	headgear finder	100,{
mes "input a headgear item_id";
next;
input .@upper_headgear; // try 2220
if ( !( .@nb = query_sql("select id, name_japanese from item_db where equip_locations & 256 and view = ( select view from item_db where equip_locations & 256 and id = "+ .@upper_headgear +" )", .@item_id, .@item_name$ ) ) ) {
	mes "no headgear was found";
	close;
}
mes "these are the items that has same view_id when you input that item_id";
next;
for ( .@i = 0; .@i < .@nb; .@i++ )
	.@menu$ = .@menu$ + .@item_name$[.@i] +":";
.@pick = select( .@menu$ ) -1;
mes "you chose "+ .@item_name$[ .@pick ];
getitem .@item_id[ .@pick ], 1;
close;
}

well better don't complicated the topic, so just do something like this

if your input only ask in numeric value, then use input .@numeric_var <-- without the '$' at the end

then the user will find it hard to inject your script because the input can only accept numbers

and yes, your script at 1st post is possible to get SQL injection ...

but I dunno what command should I input to inject that script ... lol

because you run query_sql 3 times with different functions ...

Edited by AnnieRuru
  • Upvote 1
ays297 Poring

ays297

Posted
  • Author
Posted

oh, thanks a lot. forget about that, it's fine as long as the server is safe.

Anyway, can you tell me how to do a simple sql query via the npc I made? I wanna try it first.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to question listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...