Search Unity

Code injection

Discussion in 'Scripting' started by Sly88, Feb 8, 2021.

  1. Sly88


    Feb 22, 2016
    hi guys,
    Do you know how to detect code injection? I use il2cpp and I would like to know if someone tries to use injection in my app.
  2. Kurt-Dekker


    Mar 16, 2013
    Sounds like a question better suited to a hacker forum.

    This forum is for Unity scripting and making games, not fruitlessly trying to stop eleven year olds modding your game.
    Joe-Censored and Suddoha like this.
  3. Antistone


    Feb 22, 2014
    Code injection usually refers to a security problem where you take some user input at runtime and interpret it as executable code, which allows a malicious user to make you run whatever code they give you. This...doesn't obviously have anything to do with il2cpp?

    The usual example is that you use some input from the user as a parameter in some database command (like SQL), and you expected the user to enter some ordinary string like

    but instead they entered a string like
    robert'); DROP TABLE Students; --

    But if you just splice their string into your query without checking, then you've just unwittingly allowed a clever user to run arbitrary commands on your database.

    The solution to this problem for most programs is "very carefully never do that." If you have to use any form of outside input when creating an internal command, then either validate or escape the input first. (Libraries for things like SQL will often have built-in commands for this sort of thing, specifically to help you prevent code injection attacks.)

    But you generally shouldn't try to "detect" code injection except indirectly. That is, instead of asking "is this an attempted attack?" you should ask a question like "can I absolutely prove that this input is completely safe?" and if you can't then you shouldn't use it.
    Joe-Censored and PraetorBlue like this.