@Esenthel Do you call mysqli_real_escape_string() before send commands to database to avoid sql injection?

Hello!
I'm using ODBC for handling MySQL and MSSQL (sql.h, SQL* functions)

I am missing something, as far I know ODBC driver does not handle automatically sql injection attacks, right?

your looking for a 5th leg on the cat, simply use Parameters.AddWithValue() to combat the typical sql injection attacks.

-J

what are you talking? Parameters.AddWithValue() is for .Net (C#) applications.... I am using EE class (Sql.h)

I already added regular expressions and disabled some keyboard keys, but I think is not enough. There is something to avoid sql injection with EE?

I've been watching this a few days now, and held back my opinion. Ultimately, you shouldn't put such that deep of level of safeguards in your code or else you will end up playing catch up with patches to fix any new holes and vulnerabilities discovered instead of just game related items. Instead, you should rely on an external application firewall like NetScaler, F5 and the like that is purpose built to stop SQL injection, cross site scripting hacks, DOS attacks, etc. These are additional costs, but the good news is that these guys have a free version that you can use that is limited (usually by the amount of bandwidth it will support), but in many ways it is enough to get started with.

Let me know if you have any further questions regarding these types of things. There's actually a couple of guys in the forum like myself who implement these types of devices for companies as part of our day jobs. I for one have implemented such devices for online airfare sites and the like.

Thanks aceio, I didn't know about this kind of firewalls. I will try with dotDefender, I think it's free and looks robust.

Edit: No, it isn't free ^^.

Here is the link to the free NetScaler: https://store.citrix.com/store/citrix/en...D.28169600

And another link to another product that you might check out as well: http://www.modsecurity.org/

(06-04-2013 05:41 PM)aceio76 Wrote:  Here is the link to the free NetScaler: https://store.citrix.com/store/citrix/en...D.28169600

90-day trial. Not very usefull.

Quote:And another link to another product that you might check out as well: http://www.modsecurity.org/

I've installed it. Just some dlls, looks this is a module for webpages.

---

I am very confused. This firewalls are only for webpages?

I'm not sure above links are related to this thread, which is about http://en.wikipedia.org/wiki/SQL_injection

There is SQL.string which can be used for encoding strings into custom 'condition' parameters to SQL methods.

I'll do some testing for SQL methods to check if they're safe for potential injection.

If you've discovered some other SQL methods which are unsafe for Str parameters, then let me know and I'll fix them

ahh sorry I missed this. Basically, what I was recommending is what's called an Application Firewall (http://en.wikipedia.org/wiki/Application_firewall). With them playing proxy between your servers (SQL, game server, etc) and your clients, you can make sure that the packets received by your servers are as expected. They inspect packets (layer 3 all the way to layer 7 which is the application layer) as they come in and scrub for any malicious and unexpected communication. They are the best way to stop sql injection, cross site scripting, even denial of service attacks and more. These application firewalls can work on behalf of any TCP based traffic.

The very good ones you pay for and some that are free(ish) you would have to work on, such as configuring a web server (modsecurity, etc) to be a proxy for your game server (or any tcp-based application for that matter).

My point is, you could write some security measures in your game application, but it will very likely be an exercise in futility when it comes to fully securing it. It wouldn't be just sql injection I would be worried about, but anything that could change or crash your game server. That's why there are purpose-built devices for these sort of things. Sites like facebook, travelocity, even the Microsoft Windows Update servers are front-ended by such devices.

Thanks for info aceio.

I've successfully installed apache + modSecurity + Got root rules, and is blocking sql injection, Dos attacks and other things ... but on port 80 (http). I don't know how to proceed now because apache can not listen the same port than my game server (.exe)

Anyway, I think esenthel is encrypting tpc packets (their data are random letters and numbers, I used Wireshark ).

So even I could listen tcp socket of my game, packets will pass any firewall (NetScale, F5, modSecurity, etc) because they are encrypted!... At least sql injection must be checked in game server.

I can't believe how ppl working on mmos in this forum are not worried about this.

Esenthel Wrote:I'll do some testing for SQL methods to check if they're safe for potential injection.

An example:

Str cmd = S+"SELECT * FROM accounts WHERE accounts.name = '"+name+"';";
sql.command(cmd);

If name = ' OR '1'='1 , there we have sql injection. name should be filtered in some way ( I added regular expressions).

cmontiel, you are completely right. Website security is entirely different from application security. Consider also that any SQL calls should be made only on the server. The client should not even have SQL oriented code, and no SQL commands should ever be sent over the network.
What I would personally do is save all data that comes from the user-usernames, passwords, etc- as an encrypted string(similar to Esenthel's UID system). It could even be as simple as converting each character to its ASII value. This fully ensures that any SQL injection attempt will fail, and will help if someone was to somehow gain access to your database and pull up a listing of usernames/passwords.

encrypted values in database... I don't think is a good idea because performance drops.

And for example, what happen with DoS attacks to EE game server port? It's not only sql injection...

After read and testing a lot, Web applications firewalls (WAF) are only for web applications like a webpage (HTTP, HTTPS, SSL, etc) but they can't listen tcp connections like EE server creates.

I am going to change my question:
someone knows how to block attacks to a EE server port (tcp connection) ?

PD: My head hurts