LineAge 2. Chat. The stupidity of programmers?
This can be called a topic perturbation.
The bottom line is as follows:
The entire chat of this game is written to the log, and, as I understand it, through the database. For through this chat, it was possible to write SQL injections, some I think you can write now, since the most convenient chat bug works. To separate your message from the messages of other players, you can simply write \ n, for those who do not know, I will explain that this is a special character that is present in many programming languages, like a newline character.
Attention the question why it was impossible to write an input message handler, on the client side (so that the server does not load) and discard all unnecessary combinations of characters, it seems to me not so difficult. At the same time, the problem with SQL injections will immediately disappear. Developers, on each injection, were protected separately, instead of solving the problem globally.
')
Do you think it is normal for a company of such magnitude as NCSoft to make such mistakes?
The bottom line is as follows:
The entire chat of this game is written to the log, and, as I understand it, through the database. For through this chat, it was possible to write SQL injections, some I think you can write now, since the most convenient chat bug works. To separate your message from the messages of other players, you can simply write \ n, for those who do not know, I will explain that this is a special character that is present in many programming languages, like a newline character.
Attention the question why it was impossible to write an input message handler, on the client side (so that the server does not load) and discard all unnecessary combinations of characters, it seems to me not so difficult. At the same time, the problem with SQL injections will immediately disappear. Developers, on each injection, were protected separately, instead of solving the problem globally.
')
Do you think it is normal for a company of such magnitude as NCSoft to make such mistakes?
Source: https://habr.com/ru/post/52073/
All Articles