Hi,

I was searching around for games for my arcade and stumbled upon a post suggesting this mod is subject to a SQLi error and it is one of the most exploited SQLi's ever oO !!!

So is this true ? If so is there an exploit fix ?

The post saying this was posted on 05-18-2013 and the last update for this mod was on 27 Feb 2012 so im a bit worried now ....

I checked the source quickly (mainly the queries), but it seems safe.

addslashes is used at some places which is not safe if you use a certain character encoding (http://www.itshacked.com/344/bypassing-php-security-addslashes-while-sql-injection-attacks-is-possible.html), but I doubt anyone would ever use any of these character encodings for a vBulletin forum.

I just sent you a pm of the warning post I found...

I just sent you a pm of the warning post I found...

Please send me a copy of the post or the URL, I would appreciate it. :)

Please send me a copy of the post or the URL, I would appreciate it. :)

Sent..

--------------- Added 1409690013 at 1409690013 ---------------

So whats the verdict ?

--------------- Added 1409691313 at 1409691313 ---------------

im trying to reply to your PM but this site keeps timing out ?

[quote=fookaa;2513538]Sent..

--------------- Added 02 Sep 2014 at 13:33 ---------------

So whats the verdict ?

Taking a quick look at version 2.7.2+, this should not be an issue, as they are now parsing the query string for SQL commands among other things. You should be using a PHP version of 3.5 or greater as a minimum.

I will do some tests on it later this evening. :)

What do you think about letting vBulletin Input Clean handle it ??

Any news on this ?

It's safe.

Definitely safe.