Search Unity

Can someone explain me this sql lines?

Discussion in 'Connected Games' started by earrgames, Jul 1, 2014.

  1. earrgames

    earrgames

    Joined:
    Jan 27, 2014
    Posts:
    168
    Hi forum people, I'm figuring out how to add a new entry to my database, I already can retrieve data from de DB, thats because I copied and edited an script form the Unify wiki, but there's a script I don't understand, something about sql injection, look at these lines please:

    Code (JavaScript):
    1.  
    2. <?php
    3.         $db = mysql_connect('XXXXXX', 'XXXXXX', 'XXXXXX') or die('Could not connect: ' . mysql_error());
    4.         mysql_select_db('XXXXXX') or die('Could not select database');
    5.  
    6.         // Strings must be escaped to prevent SQL injection attack.
    7.         $name = mysql_real_escape_string($_GET['name'], $db);
    8.         $score = mysql_real_escape_string($_GET['score'], $db);
    9.         $hash = $_GET['hash'];
    10.  
    11.         $secretKey="mySecretKey"; # Change this value to match the value stored in the client javascript below
    12.  
    13.         $real_hash = md5($name . $score . $secretKey);
    14.         if($real_hash == $hash) {
    15.             // Send variables for the MySQL database class.
    16.             $query = "insert into scores values (NULL, '$name', '$score');";
    17.             $result = mysql_query($query) or die('Query failed: ' . mysql_error());
    18.         }
    19. ?>
    20.  
    Ok, now, I'm triggering this script with this line: http://myserver/addscore.php?name=pedro&score=340 via a WWW.
    The things i can't understand are:

    1-What is sql injection? something about hacking?
    2-I have to add another argument $hash in my URL? whats is this for?
    3-The thing about the $secretKey is for what?
    4- and the las one, what is "$real_hash = md5($name . $score . $secretKey); " this line supposed to do?.

    Thanks People, I really need help over here.

    Cheers!
     
  2. Cjreek

    Cjreek

    Joined:
    Apr 23, 2013
    Posts:
    33
    1) Yes, you change arguments in such a way that you break the SQL code. If there wasn't this mysql_real_escape_string then you could write something like this

    bla') DROP DATABASE ... <your own evil SQL code> --

    to inject your own SQL code.

    2) it's an md5 hash of the name, the score you are passing to the script and the secret key (which you need to know).
    On one side it maskes sure the data the script receives is the data you wanted to pass to the script and it didn't change on its way due to some errors in the transmission (the md5 sum of the values you passed would be different than the hash you passed). On the other side it prevents (at least a little bit) man in the middle attacks so that attackers can't just change the values you passed, because then the md5 sum of the changed/hacked values wouldn't equal to the hash you calculated of the original/true values.

    3) ^

    4) It's calculating the hash of the values you passed to compare it to the hash you passed to the script. If those two hashes don't equal then something went wrong and it won't write your values into the DB
     
  3. earrgames

    earrgames

    Joined:
    Jan 27, 2014
    Posts:
    168
    Ok, let me see if I understood(I'm totally new to this).. I need to calculate the md5 sum of $name . $score . $secretKey myself and then pass it to the url, using this value as $hash value? and then the script will calculate it's own md5 and it must be equal to the $hash I passed?.

    Thanks for your patience man!
     
  4. Cjreek

    Cjreek

    Joined:
    Apr 23, 2013
    Posts:
    33
    That's right. :)
     
    earrgames likes this.
  5. earrgames

    earrgames

    Joined:
    Jan 27, 2014
    Posts:
    168
    THANKS MAN! now it's working perfectly!

    Cheers!
     
unityunity