To all Coder

[Tyran1]

Quote:

Originally Posted by Roflstilzchen

to make a long story short: the original hack was a sports betting addon for world soccer championship in 2006 and the original coder (TheSisko) doesnt support it anymore and the old download thread doesn?t exist too. Tyran1 changed the code into an addon for european championship 2008 but unfortunately the original code has a security leak (i guess sql-injections) which tyran is not able to fix by himself.

@tyran: maybe you should provide the hack to the users here, because without it no one will be able to help you just like lynne allready said.

Thank you.

Ok the Addon in the appendix

[cheesegrits]

If it's an SQL injection problem, then it's probably these lines in EM2008.php:

Code:

				$sql = "INSERT INTO " . TABLE_PREFIX . "rth_em08_bets (user_id,em_game_number,bet_result,bet_home,bet_visitor) 
									VALUES (".$vbulletin->userinfo['userid'].",".$game.",".$result['bet_result'].",".$result['home'].",".$result['visitor'].")";

... where none of those variables being inserted have been cleaned properly.

At the very least, I'd do ...

Code:

$game = $db->escape_string($game);
$result['bet_result'] = $db->escape_string($result['bet_result']);
$result['home'] = $db->escape_string($result['home']);
$result['visitor'] = $db->escape_string($result['visitor']);

... before that query.

-- hugh

[Tyran1]

Quote:

Originally Posted by cheesegrits

If it's an SQL injection problem, then it's probably these lines in EM2008.php:

Code:

				$sql = "INSERT INTO " . TABLE_PREFIX . "rth_em08_bets (user_id,em_game_number,bet_result,bet_home,bet_visitor) 
									VALUES (".$vbulletin->userinfo['userid'].",".$game.",".$result['bet_result'].",".$result['home'].",".$result['visitor'].")";

... where none of those variables being inserted have been cleaned properly.

At the very least, I'd do ...

Code:

$game = $db->escape_string($game);
$result['bet_result'] = $db->escape_string($result['bet_result']);
$result['home'] = $db->escape_string($result['home']);
$result['visitor'] = $db->escape_string($result['visitor']);

... before that query.

-- hugh

Many thank you!!!!! Sorry which I ask however was that everything?

--------------- Added [DATE]1201713109[/DATE] at [TIME]1201713109[/TIME] ---------------

One has me further to place called these obviously also a problem to explain...

Quote:

$vbulletin->input->clean_array_gpc('p', array(
'betgame' => TYPE_ARRAY,

[...]
$userbetcheck = $db->query_first("SELECT count(*) as anzahl FROM " . TABLE_PREFIX . "rth_em08_bets
WHERE user_id = ".$vbulletin->userinfo['userid']."
AND em_game_number = ".$game."");

and

Quote:

//phase?
$default_phase = ($em_now < $phase2_timestamp) ? 1 : 2;
$_GET['phase'] = (!empty($_GET['phase'])) ? $_GET['phase'] : $default_phase;
$show['phase'] = $_GET['phase'];
$phase_name = $vbphrase['EM2008_phase'.$_GET['phase']];
$_GET['phase'] = $phase_array[$_GET['phase']];

--------------- Added [DATE]1201713261[/DATE] at [TIME]1201713261[/TIME] ---------------

One wrote me: "Das are not no stringers, and/or should be. = > intval() or other method over to guarantee that it more integer sind"

[cheesegrits]

Yes, I just pointed out the obvious one. There is other work needs doing to proeprly sanitize your inputs.

Basically any user input you use in a query should be cleaned properly - that is, make sure it's been through the vbulletin GPC cleaner, and unless you have specific reasons not to, use escape_string.

And of course NEVER use $_GET, $_POST or $_REQUEST directly. Always run all input through the vbulletin GPC cleaner.

Suggest you read this excellent article:

https://vborg.vbsupport.ru/showthread.php?t=154411

-- hugh

[Tyran1]

Thank you @all.

The Thread can Closed!