Raised This Month: $ Target: $400
 0% 

mysql escaping and admin authentication


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
djh
Member
Join Date: Nov 2004
Old 09-11-2008 , 07:16   mysql escaping and admin authentication
Reply With Quote #1

Hello.

I'm writing a plugin that logs admin activity to a mysql database table.
I have a few problems so far:
I use the client_putinserver and client_disconnect functions to log when somebody joins and leaves.
then inside each one i check to see if the user has admin rights using is_user_admin.
The problem is if someone joins as a simple player and then authenticates as an admin and leaves, i only log the disconnection, so i see someone leaving without joining, same goes if someone joins authed and leaves unauthed, i only see him joining and not leaving, worst case if someone joins unauthed , auths, then changes name and becomes a normal player and leaves, i dont log anything.
So id like to know what i should use to detect when someone gains admin privileges and also when someone loses admin privileges.

One other matter is, when i log the joins/parts the admin's name gets logged, so ppl can have all sorts of names, this is vulerable to sql injection, and id like to prevent that. From what i've seen on php's mysql_real_escape_string function
Code:
mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
i dont know how to do that in amxx how to escape hex and \n newline stuff
This is so far the code i use to log joins/parts (the client_disconnect is similar, except that i log as "left" instead of "joined") :
Code:
public client_putinserver(id)^                                                                                                       {^                                                                                                                                           if (is_user_admin(id) && is_user_connected(id))^                                                                                     {^                                                                                                                                           new g_admin_joined[513],srv_id[2],admn_name[65],admn_steamid[65],admn_ip[33]^                                                       get_user_name(id,admn_name,64)^                                                                                                     get_user_authid(id,admn_steamid,64)^                                                                                                 get_user_ip(id,admn_ip,32,0)^                                                                                                       replace_all(admn_name,64,"'","\'")^                                                                                                 replace_all(admn_name,64,"^"","\^"")^                                                                                               replace_all(admn_name,64,";","\;")^                                                                                                 replace_all(admn_name,64,"-","\-")^                                                                                                 replace_all(admn_name,64,"%","\%")^                                                                                                 replace_all(admn_name,64,"_","\_")^                                                                                                 replace_all(admn_name,64,"#","\#")^                                                                                                 get_cvar_string("amx_server_serverid",srv_id,1)^                                                                                     format(g_admin_joined,512,"INSERT INTO `%s` ( `server_id` , `timestamp` , `admin_name` , `admin_steamid` , `admin_ip                 new Handle:queryInsert= SQL_PrepareQuery(connect, "%s",g_admin_joined)^                                             //              server_print("[SQLDEBUG] %s",g_admin_joined)                                                                                         if (!SQL_Execute(queryInsert))^                                                                                                     {^                                                                                                                                           SQL_QueryError(queryInsert,error,512)^                                                                                               server_print("[SQLERROR]: %s",error)^                                                                                       }^                                                                                                                           ^                                                                                                                                   SQL_FreeHandle(queryInsert)^                                                                                                         }^                                                                                                                                   else return PLUGIN_CONTINUE^                                                                                                     return PLUGIN_CONTINUE                                                                                                           }^

Last edited by djh; 09-11-2008 at 09:02.
djh is offline
|PJ| Shorty
Veteran Member
Join Date: Aug 2005
Location: Bavaria, Germany
Old 09-11-2008 , 09:55   Re: mysql escaping and admin authentication
Reply With Quote #2

see:

http://www.amxmodx.org/funcwiki.php?go=func&id=1182
http://www.amxmodx.org/funcwiki.php?go=func&id=1183

maybe you can catch the amx log:

Login: <.....> became an admin <.....>.....

or catch the name change with client_infochanged
__________________
There are only 10 types of people in the world:
Those who understand binary, and those who don´t.
|PJ| Shorty is offline
Send a message via ICQ to |PJ| Shorty Send a message via AIM to |PJ| Shorty Send a message via MSN to |PJ| Shorty Send a message via Yahoo to |PJ| Shorty Send a message via Skype™ to |PJ| Shorty
djh
Member
Join Date: Nov 2004
Old 09-12-2008 , 08:37   Re: mysql escaping and admin authentication
Reply With Quote #3

thank you for the info, i have some problems using those however:
I'm having a hard time figuring out how to use SQL_QuoteStringFmt, it returns the length of the new string or -1 on failure. so in my example i tried to escape g_admin_joined but i got all sorts of errors such as :
Code:
[SQLERROR]: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'\' , NOW( ) , \'g#\' , \'STEAM_ID_PENDING\' , \'zzz.zzz.zzz.zzz:27005\', \'joine' at line 1
i should mention that i used the ingame name g#'d;#Sdf'_$ for testing purposes.
as you can see it escapes everything.
its not really what i wanted, and i dont quite understand how it works, wouldnt it be easier to have smth like this
Code:
new Handle:query= SQL_PrepareQuery(Handle:db,"INSERT INTO `%s` (`field`) VALUES ('%s)",table_name,SQL_safequotesomething(fieldvalue))
and if theres no such thing then how can i manually escape those hex chars that php's mysq_real_escape_string escapes ?
Code:
 \x00, \n, \r, \, ', " and \x1a

Last edited by djh; 09-12-2008 at 10:23.
djh is offline
danielkza
AMX Mod X Plugin Approver
Join Date: May 2007
Location: São Paulo - Brasil
Old 09-12-2008 , 12:49   Re: mysql escaping and admin authentication
Reply With Quote #4

Quote:
Originally Posted by djh View Post
thank you for the info, i have some problems using those however:
I'm having a hard time figuring out how to use SQL_QuoteStringFmt, it returns the length of the new string or -1 on failure. so in my example i tried to escape g_admin_joined but i got all sorts of errors such as :
Code:
[SQLERROR]: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'\' , NOW( ) , \'g#\' , \'STEAM_ID_PENDING\' , \'zzz.zzz.zzz.zzz:27005\', \'joine' at line 1
i should mention that i used the ingame name g#'d;#Sdf'_$ for testing purposes.
as you can see it escapes everything.
its not really what i wanted, and i dont quite understand how it works, wouldnt it be easier to have smth like this
Code:
new Handle:query= SQL_PrepareQuery(Handle:db,"INSERT INTO `%s` (`field`) VALUES ('%s)",table_name,SQL_safequotesomething(fieldvalue))

and if theres no such thing then how can i manually escape those hex chars that php's mysq_real_escape_string escapes ?
Code:
 \x00, \n, \r, \, ', " and \x1a
Apparently you're trying to escape the whole query. As far as I know you should only scape user-provided data, like names.
danielkza is offline
Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 03:17.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode