Jump to content

How To Prevent Python SQL Inject

enisina

By enisina,
in Guides & HowTo

 Share

Recommended Posts

  • Active+ Member
enisina Community Regular

enisina 147

Posted
  • Active+ Member
Posted

Consinfo.py add 

def GetInjectText(text):
    characters = ["SELECT","TRUNCATE","INSERT","REPLACE","DELETE",'/', '>', '<', '|', ';', ':', '}', '{', '[', ']', '%', '#', '@', '^','&']
    succes = False
    for j in xrange(len(characters)):
        if text.find(characters[j]) != -1:
            succes = True
            break
    return succes

use 

def __SendShoutChatPacket(self, text):
    if constInfo.GetInjectText(text):
       chat.AppendChat(chat.CHAT_TYPE_INFO, " SQL INJECT")
       return

quote from turkish forum

  • Sad 1
  • Confused 2
  • Love 2
Link to comment
Share on other sites
  • Replies 5
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

enisina
enisina

Consinfo.py add def GetInjectText(text): characters = ["SELECT","TRUNCATE","INSERT","REPLACE","DELETE",'/', '>', '<', '|', ';', ':', '}', '{', '[', ']', '%', '#', '@', '^','&']

Exygo
Exygo

Literally the worst fix ever    void LogManager::ShoutLog(const char * pszName, const char * pszText) {     m_sql.EscapeString(__escape_hint, sizeof(__escape_hint), pszText, strlen(pszTex

Helia01
Helia01

?

  • Active Member
Exygo Experienced

Exygo 1044

Posted
  • Active Member
Posted

Literally the worst fix ever :facepalm:

 

void LogManager::ShoutLog(const char * pszName, const char * pszText)
{
    m_sql.EscapeString(__escape_hint, sizeof(__escape_hint), pszText, strlen(pszText));
   // bla bla bla
}

  • Love 1

qnZf3zg.png

https://www.youtube.com/channel/UCQ8mAeda9TWq6SsTzB53emw/videos

Link to comment
Share on other sites
  • Active+ Member
enisina Community Regular

enisina 147

Posted
  • Author
  • Active+ Member
Posted
11 hours ago, Exygo said:

Literally the worst fix ever :facepalm:

 

void LogManager::ShoutLog(const char * pszName, const char * pszText)
{
    m_sql.EscapeString(__escape_hint, sizeof(__escape_hint), pszText, strlen(pszText));
   // bla bla bla
}

very clever friend this was just an example. if you can do better, do it and share

Link to comment
Share on other sites
  • Forum Moderator
Raylee Mentor

Raylee 645

Posted
  • Forum Moderator
Posted
2 hours ago, enisina said:

над чем ты смеешься Тебе нравится детка: D

Rules

§1 Language

(1.1) Language

The language in this board is english. If you want to post something in your own language always add an english translation. The only exception for this rule is this section: Private Servers

 

Regards
Raylee

Link to comment
Share on other sites
 Share
Go to topic listing

Announcements



  • Similar Content

  • Similar Content

  • Similar Content

  • Tags

  • Activity

    1. 5

      Renewal Icons Affectshower - Skills & Dews & Water & Fish & ETC

      thx
      Hulk in Programming & Scripts
    2. 0

      Metin2 effect script files (MSE and MSA file) how can convert

      Metin2 effect script files (MSE and MSA file) How can I convert a Unity particle system or 3ds Max animation file?
      tengri in Community Support - Questions & Answers
    3. 10

      Multi Language System

      First of all thanks for the release. If anyone try to use this multilang system, here's some tip for the quests because making different quest states for each language as in the example will be a nightmare. translate.lua: --Default arrays gameforge.blacksmith = {} gameforge.blacksmith._10_npcChat = {} gameforge.blacksmith._20_sayTitle = {} gameforge.blacksmith._30_say = {} gameforge.blacksmith._40_sayTitle = {} gameforge.blacksmith._50_sayReward = {} --EN gameforge.blacksmith._10_npcChat["en"] = "I want to upgrade something. " gameforge.blacksmith._20_sayTitle["en"] = "Blacksmith " gameforge.blacksmith._30_say["en"] = "Greetings![ENTER]I am responsible for upgrading items. If you want[ENTER]to upgrade an item, just bring it to me. " gameforge.blacksmith._40_sayTitle["en"] = "Information: " gameforge.blacksmith._50_sayReward["en"] = "Drag an item from your inventory onto the[ENTER]Blacksmith. " --HU gameforge.blacksmith._10_npcChat["hu"] = "Szeretnék valamit feljavíttatni. " gameforge.blacksmith._20_sayTitle["hu"] = "Kovács " gameforge.blacksmith._30_say["hu"] = "Üdvözöllek![ENTER]Én felelek a tárgyak feljavításáért. Ha fel[ENTER]szeretnél javíttatni egy tárgyat, hozd csak ide[ENTER]nekem. " gameforge.blacksmith._40_sayTitle["hu"] = "Információ: " gameforge.blacksmith._50_sayReward["hu"] = "Húzz rá egy tárgyat a leltáradból a Kovácsra. " questlib.lua: function get_lang_name() if get_lang() == 1 then return "hu" end return "en" end blacksmith.quest: quest blacksmith begin state start begin when blacksmith.chat.gameforge.blacksmith._10_npcChat[get_lang_name()] begin say_title(gameforge.blacksmith._20_sayTitle[get_lang_name()]) say(gameforge.blacksmith._30_say[get_lang_name()]) wait() say_title(gameforge.blacksmith._40_sayTitle[get_lang_name()]) say_reward(gameforge.blacksmith._50_sayReward[get_lang_name()]) end end end Some caching mechanism to the get_lang_name() would be nice too. Also do not use this in notice_all because it will notice all in the player's language... Maybe use ["en"] to display notice_alls in english for everyone or code some translating mechanism for the client (e.g. replace chars when displaying the messages depending on the current lang). +1 note: the default qc did not like the [get_lang_name()] in the when statement but a friend gave me a "fixed" qc which you can download here.
      • 1
      • Love
      TMP4 in Features & Metin2 Systems
    4. 0

      We are looking for a C++ and Python programmer

      We are looking for a C++ and Python programmer for systems development and warfare for Metin2
      boloca in Paid Support / Searching / Recruiting
    5. 0

      [Quest Scheduler Request] Is there a way to make a quest run independet of player events? Lets say start quest automatically at server startup?

      The idea is, i want this quest to run regardless of player actions, at the moment it seems to start at player login ideally the quest would start at day Y(could have daily flag) hour X so basically a scheduler, so it won't be dependent on any player events quest test_npcmove begin state start begin when letter begin chat("Started") set_state("spawn_monster_in_map_boss_1") end end -- State to check for/spawn boss 1 state spawn_monster_in_map_boss_1 begin when letter begin chat("Spawning first boss") local mob_vnum = 102 -- Adjust VNUM for boss 1 local map_index = 352 local mobs = find_mobs_in_map(mob_vnum, map_index) local vid_boss1 = 0 local mobs_str = "BOSS 1 VIDs: {" .. table.concat(mobs, ", ") .. "}" chat(mobs_str) chat("Player X: " .. 339 .. " Y: " .. 363) if table.getn(mobs) > 0 then vid_boss1 = mobs[1] chat("Boss 1 found, using existing with VID: " .. tostring(vid_boss1)) else local vids = spawn_monster_in_map(mob_vnum, 1, false, map_index, 339, 363 + 10, true) vid_boss1 = vids[1] if vids[1] ~= nil then vid_boss1 = vids[1] chat("Boss 1 spawned with VID: " .. tostring(vid_boss1)) else vids = find_mobs_in_map(mob_vnum, map_index) vid_boss1 = vids[1] chat("Boss 2 fetched vid for spwaned mob: " .. tostring(vid_boss1)) end end pc.setqf("vid_boss1", vid_boss1) set_state("spawn_monster_in_map_boss_2") end end -- State to check for/spawn boss 2 state spawn_monster_in_map_boss_2 begin when letter begin local mob_vnum = 101 -- Adjust VNUM for boss 2 local map_index = 352 local mobs = find_mobs_in_map(mob_vnum, map_index) local vid_boss2 = 0 local mobs_str = "BOSS 2 VIDs: {" .. table.concat(mobs, ", ") .. "}" chat(mobs_str) if table.getn(mobs) > 0 then vid_boss2 = mobs[1] chat("Boss 2 found, using existing with VID: " .. tostring(vid_boss2)) else local vids = spawn_monster_in_map(mob_vnum, 1, false, map_index, 339, 363 - 10, true) vid_boss2 = vids[1] if vids[1] ~= nil then vid_boss2 = vids[1] chat("Boss 1 spawned with VID: " .. tostring(vid_boss2)) else vids = find_mobs_in_map(mob_vnum, map_index) vid_boss2 = vids[1] chat("Boss 2 fetched vid for spwaned mob: " .. tostring(vid_boss2)) end end pc.setqf("vid_boss2", vid_boss2) set_state("move_bosses") end end -- State to move both bosses state move_bosses begin when letter begin local vid_boss1 = pc.getqf("vid_boss1") local vid_boss2 = pc.getqf("vid_boss2") local target_x = 339 local target_y = 363 mob_move(vid_boss1, target_x, target_y) mob_move(vid_boss2, target_x, target_y) chat("Both bosses moved to player's position.") set_state("bosses_fight") end end -- State where bosses fight state bosses_fight begin when letter begin local vid_boss1 = pc.getqf("vid_boss1") local vid_boss2 = pc.getqf("vid_boss2") local map_index = 352 chat("Boss 1 VID: " .. tostring(vid_boss1)) chat("Boss 2 VID: " .. tostring(vid_boss2)) local success2, message2 = set_pc_can_attack_monster(vid_boss1, false, map_index) local success3, message3 = set_pc_can_attack_monster(vid_boss2, false, map_index) chat("Attempt to make boss 1 invinciple " .. tostring(success2) .. " - " .. message2) chat("Attempt to make boss 2 invinciple " .. tostring(success3) .. " - " .. message3) -- Attempt to make boss 1 attack boss 2 local success1, message1 = attack_mob(vid_boss1, vid_boss2, map_index) if success1 ~= nil and message1 ~= nil then chat("Attack attempt from Boss 1 to Boss 2: " .. tostring(success1) .. " - " .. message1) else chat("Attack attempt from Boss 1 to Boss 2: success or message is nil") end -- Attempt to make boss 2 attack boss 1 local success2, message2 = attack_mob(vid_boss2, vid_boss1, map_index) if success2 ~= nil and message2 ~= nil then chat("Attack attempt from Boss 2 to Boss 1: " .. tostring(success2) .. " - " .. message2) else chat("Attack attempt from Boss 2 to Boss 1: success or message is nil") end chat("Bosses are now set to fight each other.") chat("---------------------------------END------------------------------------") set_state("bosses_alive") end end state bosses_alive begin when letter begin chat("Checking if boss died") local vid_boss1 = pc.getqf("vid_boss1") local vid_boss2 = pc.getqf("vid_boss2") local map_index = 352 -- Check if Boss 1 is alive local is_boss1_alive, boss1_msg = is_mob_alive_in_map(vid_boss1, map_index) chat("Boss 1 alive check: " .. tostring(is_boss1_alive) .. " - " .. boss1_msg) -- Check if Boss 2 is alive local is_boss2_alive, boss2_msg = is_mob_alive_in_map(vid_boss2, map_index) chat("Boss 2 alive check: " .. tostring(is_boss2_alive) .. " - " .. boss2_msg) -- Determine the next state based on the bosses' statuses if not is_boss1_alive or not is_boss2_alive then if is_mob_alive_in_map(vid_boss1, map_index) then local success2, message2 = set_pc_can_attack_monster(vid_boss1, true, map_index) chat("Resetting invicibility for boss1 " .. tostring(success2) .. " - " .. message2) end if is_mob_alive_in_map(vid_boss2, map_index) then local success3, message3 = set_pc_can_attack_monster(vid_boss2, true, map_index) chat("Resetting invicibility for boss2 " .. tostring(success3) .. " - " .. message3) end chat("One of the bosses is dead. Resetting quest.") set_state("start") else chat("Both bosses are alive. Continuing the fight.") set_state("bosses_alive") end end end end And the last state, called bosses_alive seems to also reexecute only at player relog (login) Is there a way to make it so the states are independent of player events and just execute as soon as sv starts?
      astroNOT in Community Support - Questions & Answers
    6. 111

      Ulthar SF V2 (TMP4 Base)

      Can someone help me? .. rafinement still not working for me..
      robertbode in Binaries
    7. 0

      Quest function when 102.kill definition whereabouts help

      Hello, So I m trying to find where this vnum.kill function is defined on serverside, seems quite tricky, if anybody knows where it is defined and what name it has, please lmk Thanks, Gabi might be this guy void CQuestManager::Kill(unsigned int pc, unsigned int npc) { //m_CurrentNPCRace = npc; PC * pPC; sys_log(0, "CQuestManager::Kill QUEST_KILL_EVENT (pc=%d, npc=%d)", pc, npc); if ((pPC = GetPC(pc))) { if (!CheckQuestLoaded(pPC)) return; // kill call script if (npc >= MAIN_RACE_MAX_NUM) //@fixme109 m_mapNPC[npc].OnKill(*pPC); //@warme004 m_mapNPC[QUEST_NO_NPC].OnKill(*pPC); #ifdef ENABLE_PARTYKILL // party_kill call script LPCHARACTER ch = GetCurrentCharacterPtr(); LPPARTY pParty = ch->GetParty(); LPCHARACTER leader = pParty ? pParty->GetLeaderCharacter() : ch; if (leader) { m_pCurrentPartyMember = ch; if (npc >= MAIN_RACE_MAX_NUM) //@fixme109 m_mapNPC[npc].OnPartyKill(*GetPC(leader->GetPlayerID())); //@warme004 m_mapNPC[QUEST_NO_NPC].OnPartyKill(*GetPC(leader->GetPlayerID())); pPC = GetPC(pc); } #endif } else sys_err("QUEST: no such pc id : %d", pc); }
      astroNOT in Community Support - Questions & Answers
    8. 5

      [M2 FILTER] Customized Client Filter

      ENB Mode, a graphic enhancer for dx that people used on SA:MP to make it look better, i didn't see a metin2 server using this since 2017 . [Hidden Content]
      envy in Features & Metin2 Systems
    9. 19

      Chat / Whisper Emoji

      Simpson1 in Features & Metin2 Systems

  • Recently Browsing

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.