MYSQL ERROR IP

[Zainox]

That there are guys, first of all happy new year, I hope the last great time with their families. On this occasion I would like to see if you can help me with an error that I have on my server.

The error is displayed on the server console. As this error causes it to be left on the server, the error is as follows:

Mysql_real_query (): UPDATE `players` SET` ip` = '190.142.98.246' WHERE name = 'Dark'daniel'; - MYSQL ERROR: You have an error in your SQL syntax; Check the manual corresponding to your version of the MySQL server for the correct syntax to use near 'daniel' on line 1 (1064)

Highlight the cave that is the player's ip and his name. Any help will be very grateful.

Have an excellent week

P.D.: This is another error that comes out from time to time in the console

[Warning - Protocol::RSA_decrypt] Not valid packet size (IP: 190.26.22.17)

 

[Zainox]

bump

 

[Zainox]

open login.lua
find UPDATE `players` SET `ip`
change WHERE name = 'playername' ( probably something like WHERE name = 'getCreatureName(cid)' or player:getName())
to WHERE name = "playername"

He looked for what you told me but I did not find it, this is my login.lua

local config = {
    loginMessage = getConfigValue('loginMessage'),
    useFragHandler = getBooleanFromString(getConfigValue('useFragHandler'))
}

function onLogin(cid)
    if(getBooleanFromString(getConfigValue('accountManager')) == false) then
        if (getCreatureName(cid) == "Account Manager") then
            return doRemoveCreature(cid, true)
        end
    end

    local loss = getConfigValue('deathLostPercent')
    if(loss ~= nil and getPlayerStorageValue(cid, "bless") ~= 5) then
        doPlayerSetLossPercent(cid, PLAYERLOSS_EXPERIENCE, loss * 10)
    end

    if(getPlayerStorageValue(cid, "death_bless") == 1) then
        local t = {PLAYERLOSS_EXPERIENCE, PLAYERLOSS_SKILLS, PLAYERLOSS_ITEMS, PLAYERLOSS_CONTAINERS}
        for i = 1, #t do
            doPlayerSetLossPercent(cid, t[i], 100)
        end
        setPlayerStorageValue(cid, "death_bless", 0)
    end

    local accountManager = getPlayerAccountManager(cid)
    if(accountManager == MANAGER_NONE) then
        local lastLogin, str = getPlayerLastLoginSaved(cid), config.loginMessage
        if(lastLogin > 0) then
            doPlayerSendTextMessage(cid, MESSAGE_STATUS_DEFAULT, str)
            str = "Your last visit was on " .. os.date("%a %b %d %X %Y", lastLogin) .. "."
        else
            str = str .. " Please choose your outfit."
            doPlayerSendOutfitWindow(cid)
        end

        doPlayerSendTextMessage(cid, MESSAGE_STATUS_DEFAULT, str)
    elseif(accountManager == MANAGER_NAMELOCK) then
        addEvent(valid(doCreatureSay), 500, cid, "Hello, it appears that your character has been locked for name violating rules, what new name would you like to have?", TALKTYPE_PRIVATE_NP, true, cid)
    elseif(accountManager == MANAGER_ACCOUNT) then
        addEvent(valid(doCreatureSay), 500, cid, "Hello, type {account} to manage your account. If you would like to start over, type {cancel} anywhere.", TALKTYPE_PRIVATE_NP, true, cid)
    else
        addEvent(valid(doCreatureSay), 500, cid, "Hello, type {account} to create an account or {recover} to recover an account.", TALKTYPE_PRIVATE_NP, true, cid)
    end

    if(not isPlayerGhost(cid)) then
        doSendMagicEffect(getCreaturePosition(cid), CONST_ME_TELEPORT)
    end

    registerCreatureEvent(cid, "Idle")
    registerCreatureEvent(cid, "Mail")
    if(getPlayerOperatingSystem(cid) >= CLIENTOS_OTCLIENT_LINUX) then
        registerCreatureEvent(cid, "ExtendedOpcode")
    end

    registerCreatureEvent(cid, "ReportBug")
    if(config.useFragHandler) then
        registerCreatureEvent(cid, "SkullCheck")
    end

    registerCreatureEvent(cid, "GuildEvents")
    registerCreatureEvent(cid, "AdvanceSave")
    registerCreatureEvent(cid, "recordIp")
    registerCreatureEvent(cid, "partyAndGuildProtection")
    registerCreatureEvent(cid, "StorageMonster")
    return true
end

 

[Zainox]

bump

 

[Lordfire]

Do you have access to the source code?

Let's hope no one creates a character named "Daniel';drop table players"

 

[Zainox]

@Lordfire yes i have acces is my ot, i need edit the sources?

 

[andu]

Do you have access to the source code?

Let's hope no one creates a character named "Daniel';drop table players"

Imagine, that may work on many servers.

Player [1]: if you ban me, ill delete your god char and all gms

 

[Sun]

Somewhere you have a bad mysql query. If it's not in login.lua it's probably in your source code.
An easy way to track it is to search the whole folder. You just need to drag & drop your folder into your text editor.
Then by right clicking the folder there should be an option like "find in files", "find in folder" or "search directory"
now you can search for something like UPDATE `players` SET` ip`
and you will probably find the mysql string you need to change

 

[Znote]

You need to find the origin of this query and escape the character name before inserting it to the query, not only does it break, it is a potential security vulnerability.

 

[Sun]

You need to find the origin of this query and escape the character name before inserting it to the query, not only does it break, it is a potential security vulnerability.

wouldn't it be enough to change the quotation marks from ' to " ? since you can have ' in the char name but not "

 

[Znote]

wouldn't it be enough to change the quotation marks from ' to " ? since you can have ' in the char name but not "

Under the assumption that you can only access this method by logging into a character name that is already validated, maybe.
Better to just escape it, so it doesn't matter how the name is validated.

 

[Lordfire]

@Zainox
While I couldn't find it on my sources, search for UPDATE `players` SET` ip` = (exactly this string) and replace the player name (it will probably be something like WHERE name = '" << player->getName() << "';) with db.escapeString, e.g. UPDATE `players` SET `ip` = '" << player->lastIP << "' WHERE name = " << db.escapeString(player->getName()) << ";"

Note that I removed the surrounding ticks, as escapeString adds them already. It should fix on TFS 1.x

wouldn't it be enough to change the quotation marks from ' to " ? since you can have ' in the char name but not "

In this very specific case, yes, but TFS queries already have an escape method that should be used for proper escaping.

 

[Zainox]

@Lordfire if indeed I have found it and apparently the player does not cause more errors, to appear the origin is in the database, I have gone to the line and I have cleaned the query, but does not rule out that it can happen again with another player. I will continue testing and see if I find the source of the query @Znote

 

[StreamSide]

Do you have access to the source code?

Let's hope no one creates a character named "Daniel';drop table players"

lmao people has bad intentions

 

[Lordfire]

@Lordfire if indeed I have found it and apparently the player does not cause more errors, to appear the origin is in the database, I have gone to the line and I have cleaned the query, but does not rule out that it can happen again with another player. I will continue testing and see if I find the source of the query @Znote

It probably won't, but you can try searching for every other query that uses player->getName() and guarantee it is surrounded with escapeString

 

[Znote]

I would open up config.lua in notepad++, and do a recursive folder search in all files in all sub directories (data and source code) after this: SET` ip`

The query typo should make it easy to find it. (There is a space after `, instead of after SET).