Go Back   vb.org Archive > vBulletin Modifications > Archive > vB.org Archives > Premium Archives > ibProArcade Archive
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools
Alternate fix to injection code in comments Details »»
Alternate fix to injection code in comments
Version: , by rpgamersnet rpgamersnet is offline
Developer Last Online: Nov 2013 Show Printable Version Email this Page

Version: Unknown Rating:
Released: 02-28-2012 Last Update: Never Installs: 0
 
No support by the author.

So, in another thread it was mentioned that the current fix may get the job done, its also filtering out good data. There must be some proper solution to handle incoming comment data securely. I thought I would start a discussion in regards to finding an alternate fix to the problem then the one currently available.

The problem: Users input data into comments that is executed and causes trouble.

Solution ideas: Escape incoming data so that it cannot execute? Allow only alphanumeric comment data and write the SQL statements so that they cannot be broken out?

I will be the first to admit I am not a professional coder, although I do write a lot of code myself. I haven't taken a long look at how the comments are currently handled, but plan to. Lets pool some ideas and help MrZeroPage come up with a more solid fix!

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.

Comments
  #22  
Old 03-08-2012, 07:40 PM
g7jgq g7jgq is offline
 
Join Date: Apr 2006
Posts: 9
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by rpgamersnet View Post
If you refer to this post: https://vborg.vbsupport.ru/showpost....91&postcount=5

The code I am asking about is the loop that removes all the SQL keywords from the comments. Most I'm sure won't come across in normal comments, but filtering out parts like "or" and "and" are going to catch and mess up standard comments, as given in the example on that post.

"I got the high score!" becomes "I got the high sce!"

"Got a great hand on the last round!" -> "Got a great h on the last round"

Some basic words will get filtered as well, not just the bad SQL data, which is why I suggested that maybe this fix is not the best solution. Code I am questioning is quoted here:

PHP Code:
function recursive_str_ireplace($replacethis,$withthis,$inthis)
{
    while (
1==1)
    {
        
$inthis str_ireplace($replacethis,$withthis,$inthis);
        if(
stristr($inthis$replacethis) === FALSE)
        {
            RETURN 
$inthis;
        }
    }
    RETURN 
$inthis;

PHP Code:
 // remove any SQL-commands
    
$sqlcomm[] = 'create';
    
$sqlcomm[] = 'database';
    
$sqlcomm[] = 'table';
    
$sqlcomm[] = 'insert';
    
$sqlcomm[] = 'update';
    
$sqlcomm[] = 'rename';
    
$sqlcomm[] = 'replace';
    
$sqlcomm[] = 'select';
    
$sqlcomm[] = 'handler';
    
$sqlcomm[] = 'delete';
    
$sqlcomm[] = 'truncate';
    
$sqlcomm[] = 'drop';
    
$sqlcomm[] = 'where';
    
$sqlcomm[] = 'or';
    
$sqlcomm[] = 'and';
    
$sqlcomm[] = 'values';
    
$sqlcomm[] = 'set';
    
$sqlcomm[] = 'password';
    
$sqlcomm[] = 'salt';
    
$sqlcomm[] = 'concat';
    
$sqlcomm[] = 'schema';
    
$value recursive_str_ireplace($sqlcomm''$value); 
Some recent threads have started to appear complaining of errors appearing, this new code is also the source of those new problems; the new recursive_str_ireplace loop to replace these parts of the comment field.... and any other field being filtered by the ibp_cleansql function.
As I posted in another thread, before searching !!!!!!!!!! its also stripping the words out of game names which I suspect will break a lot of games.

When it gets the game name from the posted data

PHP Code:
$game_name ibp_cleansql($_POST['gname']); 
A game such as wordrace will end up as wdrace

For now I have just modified the replacement list as follows, its NOT a good fix but at least all of the games will submit scores now :-)

PHP Code:
    $sqlcomm[] = 'create ';
    
$sqlcomm[] = 'database';
    
$sqlcomm[] = 'table';
    
$sqlcomm[] = 'insert';
    
$sqlcomm[] = 'update ';
    
$sqlcomm[] = 'rename';
    
$sqlcomm[] = 'replace ';
    
$sqlcomm[] = 'select ';
    
$sqlcomm[] = 'handler';
    
$sqlcomm[] = 'delete ';
    
$sqlcomm[] = 'truncate ';
    
$sqlcomm[] = 'drop ';
    
$sqlcomm[] = ' where ';
    
$sqlcomm[] = ' or ';
    
$sqlcomm[] = ' and ';
    
$sqlcomm[] = 'values';
    
$sqlcomm[] = ' set ';
    
$sqlcomm[] = 'password';
    
$sqlcomm[] = 'salt';
    
$sqlcomm[] = 'concat';
    
$sqlcomm[] = 'schema'
I know that won't solve the problem in comments but we don't really use comments. I am going to look at an alternative fix for this over the weekend

Cheers

Alex
Reply With Quote
  #23  
Old 03-09-2012, 01:13 AM
stangger5's Avatar
stangger5 stangger5 is offline
 
Join Date: Jan 2005
Location: Online
Posts: 1,130
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by g7jgq View Post

I know that won't solve the problem in comments but we don't really use comments. I am going to look at an alternative fix for this over the weekend

Cheers

Alex
Give this a try : https://vborg.vbsupport.ru/showpost....04&postcount=6
Reply With Quote
  #24  
Old 03-09-2012, 12:04 PM
g7jgq g7jgq is offline
 
Join Date: Apr 2006
Posts: 9
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by stangger5 View Post
Thanks for that.

Looking at that code it will do the same thing, the problem is you cannot get rid of SQL command by simply doing replaces in the posted data.

Cheers

Alex
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:49 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.08886 seconds
  • Memory Usage 2,265KB
  • Queries Executed 18 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (4)bbcode_php
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (6)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (4)post_thanks_box
  • (4)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (4)post_thanks_postbit_info
  • (3)postbit
  • (4)postbit_onlinestatus
  • (4)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete