Hey,
i am already discussing with my mate if there is a way to make a Ranking Page secure against those SQL Injects.
But he talked to me and said there is no way to Inject a Ranking Page due to there is no visible code you can break up.
+
I dont see at any Ranking Page release a post with "is it secure?"
And i would like to know if there is a way to SQL Inject it.
Because i want to make mine secure.
I would appreciate that
If you only load data out of the database with no interaction of the user, then it should be safe.
Else:
- Use Prepared statements . PHP: SQLSRV - Manual
- Filter out all of the bad characters. ' " ; %27 %22 %3B.
- Typecast variables.
- Do checks on the variables. ctype_digit for numbers.
Filtering is the main source of keeping injections away, aslong as u have a filter like superwaffle stated, you should be perfectly fine, you could also limit the characters typed into fields if you REALLY want to be secure!
Well now i know it is injectable but if you filter them out not.Originally Posted by Joe9099
The one thing i dont understand is how they can inject it?
Since you only see the ranks.
You cant type something at the Rank Page there is no field where you can write something.
That is what is making me thinking about it.
Every script (with user interaction) can be vulnerable if you didn't add any protection.
Login/register/itemshop script as example.
Last edited by Dave; 09-04-12 at 10:40 PM. Reason: Typo.
Reply With Quote