» Menu
» OB/Site News
» Articles
» Barafranca News
No news found. Reset in progress?
kredu
23-01 Your thoughts...
14:58:40 - 24-01
How to replicate the bug:
$bullets = (int) $_POST['bullets'];
if ($bullets > 400) //error
else {
//stuff
mysql_query("UPDATE `users` SET `bullets` = `bullets` + ".mysql_real_escape_string($_POST['bullets'])." WHERE `userid` = ".$userid);
}
Great devs. :')
$bullets = (int) $_POST['bullets'];
if ($bullets > 400) //error
else {
//stuff
mysql_query("UPDATE `users` SET `bullets` = `bullets` + ".mysql_real_escape_string($_POST['bullets'])." WHERE `userid` = ".$userid);
}
Great devs. :')
18-01 Doping in Omerta?!
17:10:46 - 21-01
How is it possible they don't even cast variables to (int)?
How to replicate the bug:
$bullets = (int) $_POST['bullets'];
if ($bullets > 400) //error
else {
//stuff
mysql_query("UPDATE `users` SET `bullets` = `bullets` + ".mysql_real_escape_string($_POST['bullets'])." WHERE `userid` = ".$userid);
}
Great devs. :')
Actually bug happens in the opposite way, not that way.
When the verification has no cast made but the (int) cast is made after verification...
So 900e+100 would pass verification of <900 and then would be casted to 90000000000 in QUERY.