February 16, 2009 at 14:31LineAge 2. Chat. Stupidity of programmers?
This can be called a topic of indignation.
The bottom line is:
The entire chat of this game is written to the log, and, as I understand it, through the database. Because it was possible to write SQL injections through this chat, some I think can be written now, since the most convenient bug for chat works. To separate your message from the messages of other players, you can simply write \ n, for those who don’t know, I’ll explain that this is a special character that is present in many programming languages as a line break character.
Attention is the question of why it was impossible to write an input message handler on the client side (so as not to load the server) and discard all unnecessary combinations of characters, it seems to me not so complicated. In this case, the problem with SQL injection will disappear immediately. The developers, on the other hand, protected themselves from each injection separately, instead of solving the problem globally.
Do you think it is normal for a company of such magnitude as NCSoft to make such oversights?
The bottom line is:
The entire chat of this game is written to the log, and, as I understand it, through the database. Because it was possible to write SQL injections through this chat, some I think can be written now, since the most convenient bug for chat works. To separate your message from the messages of other players, you can simply write \ n, for those who don’t know, I’ll explain that this is a special character that is present in many programming languages as a line break character.
Attention is the question of why it was impossible to write an input message handler on the client side (so as not to load the server) and discard all unnecessary combinations of characters, it seems to me not so complicated. In this case, the problem with SQL injection will disappear immediately. The developers, on the other hand, protected themselves from each injection separately, instead of solving the problem globally.
Do you think it is normal for a company of such magnitude as NCSoft to make such oversights?