[REQUEST]{URGENT}

08/26/2010 01:14 Danco1990#1

It seems the databases are stored in plaintext. abrasive Proved me it is easy to hack the normal databases. Therefor im requesting a way how to secure it by md5 or whatever is neccesary to make sure people can't read out data OR write in the db (apart from regpage and reading the pvp ranks).

Does anyone know how to succeed in securing a DB like stated and willing to share the information?

08/26/2010 01:19 [GM]Father#2

Better test these changes on a private server before you take it live. Otherwise your 99% uptime is going to be greatly affected.

08/26/2010 01:20 Danco1990#3

Got 2 testservers running, im striving to make sure all my promises are kept, so i need a fix quick ;).

08/26/2010 01:31 nXu#4

Well... since the login is using the plaintext password, i'm not sure if it's possible...
But its just my oppinion

08/26/2010 04:04 TheShaiyaSyndicate#5

It is possible mine uses a one way md5 hash but i had to edit both the registration forms and the executables to do it.

I thought you said you knew all about securing servers?

Quote:

Originally Posted by Danco1990

I know how to secure servers, thats why i made a guide about it, but i also know how to get in, even IF your server is secured in every possible way... Not a tread, just a warning.

08/26/2010 04:40 Danco1990#6

Yup, i do know some ways, but this way i have never seen before, the path to your goal can lead in different roads you see. This kind of problem i haven't seen before. I'm working on it as we speak, should be done soon.

08/26/2010 05:22 ProfNerwosol#7

Quote:

Originally Posted by Danco1990

It seems the databases are stored in plaintext. abrasive Proved me it is easy to hack the normal databases. Therefor im requesting a way how to secure it by md5 or whatever is neccesary to make sure people can't read out data OR write in the db (apart from regpage and reading the pvp ranks).

Does anyone know how to succeed in securing a DB like stated and willing to share the information?

What do you mean? Securing database? If it's your computer you are running it on just lock the ports and disable external IP for connecting to the server. If not leave it for the provider to deal with security or do you mean how to secure the scripts on website with login and password for database? Just put there httpaccess thingie and it will prevent anyone from reading that directory. It's best to keep such information in a separate file and include it when needed. There's also another thing you can do if that's on your PC. Place the file with database login outside of httpd directory. No one can access anything above httpd from the internet, but from inside the script you can.

08/26/2010 05:48 Danco1990#8

I host the reg page and pvp page local, so cant put it above the public folder im afraid. The ports are all blocked out, it seemed that there is a problem with the reg scripts, im getting some help atm to get that sorted. As far as i heard, only 2 servers running now are protected from this inject. I had 2 people proving me this now. I will put up a htaccess, since that will greatly improve the security, if i put this in, this means noone can see or get a password in the processor.php if i put another one in? If this is so, i can open my port for SQL again and i can work outside my IP range.

When i figure out how to proper secure the processor script against sql injects, i MIGHT release it.