PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Hey guys I run a text based online game; recently someone has been able to gain access to the 2 Admin accounts and all moderator accounts. Now we know he doesn’t have access to the Database because he could do allot more damage than he has done.
Can anyone give me some pointers were I should be looking for this Bug; we have no idea how he can get into the accounts. We have changed the passwords for the accounts 5 times and he can still get in.
If anyone has any pointers I would be more than grateful.
even if u downloaded the game/script u should still post it, im sure someone can show u a flaw, maybe they be using sql injection to gain access, post some code or a link and we will help
$query = mysql_query("SELECT * FROM adminzzz WHERE $username='username' AND $password='password'", $do_connect_stuff);
$rowzzzz = mysql_num_rows($query);
if ($rowzzzz == 1){
//log the admin in
}else
die('u suck at life')
but if u use that injection for the username and password then you cofuse the databse because u use a OR statement in the query, and its like well the password is either equal to what u put in as a password OR (like else) 1=1, well 1=1 is the num_rows crap and 1 is equal to the 1 it must be equal to am i rite? bam admin access. there are many ways around this simple injection but its a breif example. google it for full explanation.
ya injecting into a shout box that dosnt require authentication (ie logging in to type stuff) then ur more looking as XSS (really css but not the style sheets thing) please try posting some code so we can check for flaws ourselves
u cant, no matter what it says invalid username and password (unless ur register page is messed up but when i register then try to login it wont let me ) so either A) ur script is broke OR B) uv made it so it will never work
do somtin about it then repost, im not going to hack a broken script because that is impossible