search

brettrijnders / pbsviewer

This program ‘PBSViewer’ also known as Punkbuster (pb) Screenshot Viewer will download punkbuster screens from your gameserver to your webserver.
http://www.brettrijnders.nl/work/php/pb-screenshot-viewer/
4 stars 1 forks source link

SQL-Error #34

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1.Insert the next line into the searchbox: 'OR 'a' = 'a'#
2. 
The server shows:
------------------------
Forbidden
You do not have permission to access this document.

Web Server at beesar.com 
-------------------------
3. The input field could be a risk for SQL-injection

The input should be filtered through a regex

Original issue reported on code.google.com by cmulde...@gmail.com on 16 Aug 2010 at 10:50

GoogleCodeExporter commented 9 years ago 
k thanks for the tip, what kind of regex are you suggesting? I already used 
mysql_real_escape_string()..., apparently that is not enough.

Original comment by brettrijnders on 17 Aug 2010 at 6:59

GoogleCodeExporter commented 9 years ago 
I now have improved the sql injection protection. I also have taken into 
account that a gamer might have a sql injection code as nickname. On my demo 
site I still get the permission error, but that has nothing to with the wrong 
implementation of sql injection error. The firewall of my web host is 
generating this message, it automatically filters wrong input and will give 
this permission error.

Users who do not have such security will get a message from PBSViewer, so they 
should be protected as well :)

Original comment by brettrijnders on 19 Aug 2010 at 11:21

GoogleCodeExporter commented 9 years ago 
Is released earlier because of high security risk.

Original comment by brettrijnders on 20 Aug 2010 at 9:17