[QUOTE=XxLMM13xXx;51940978]Let me get this straight... your basicly just saying it's bad practice to store passwords plaintext in databases. I understand that. Your not saying [B]In this case[/B] that it's going to make anything more secure because the other option is just taking the password and having it in a text file with the password plaintext. I completely understand the bad practice I am doing here but [B]In this case[/B] should I bother?[/QUOTE]
Hash passwords you store in the database. Then compare the hashed password stored in the db with a hash of the user input. It's literally that simple. You don't need to store plaintext wtf
[QUOTE=BlackVoid;51940773]You have still not given a solution to not store connection details in cleartext.[/QUOTE]
the hell, you can't store database connection details in anything but plaintext.
[QUOTE=XxLMM13xXx;51940978]Let me get this straight... your basicly just saying it's bad practice to store passwords plaintext in databases. I understand that. Your not saying [B]In this case[/B] that it's going to make anything more secure because the other option is just taking the password and having it in a text file with the password plaintext. I completely understand the bad practice I am doing here but [B]In this case[/B] should I bother?[/QUOTE]
No, you don't need to hash [B]database credentials[/B], nor can you anyway. Whoever uses the addon should be intelligent enough to make a separate user that can only read and write to a specific table. The error a lot of people make is using the root user for this, which is a horrible practice since root can access the whole database.
That being said, IF you store passwords for [B]anything else[/B], you SHOULD encrypt them in some way.
Guys i'm trying to avoid having to login every single time the server starts up.. if I hash the passwords then on every startup someone would need to login
[QUOTE=Flamingsword;51941009]
the hell, you can't store database connection details in anything but plaintext.[/QUOTE]
Yes, that's what I've been saying the entire time, however Nookyava has been arguing that it's bad practice.
I think a lot of people are misunderstanding the fact that the only time the password is stored is for the MySQL login details when you first set up the password, not any actual userpasswords like I also originally believed
[QUOTE] I completely understand the bad practice I am doing here but In this case should I bother?[/QUOTE]
Yes you should, think about how many users are going to put their password (which may be used for everything) into this system. That gives the server owner all those passwords and if he wants to fuck with a player it wouldn't be hard to do if they have their email from a forum software.
I think there is a misunderstanding. Allow me to explain how the system works...
A user installs my addon and when they join they enter there mysql info they will be using for tmysql4. Next it uses that info to connect to the tmysql4... it ALSO stores the users login info in the gmod sqlite or whatever database. Now when the server shuts down and starts up it then searches the SQLite database or whatever to see if there is a username and password and if it finds one it will automatically connect to the tmysql4 database.
If I hash the passwords then a admin/owner will need to enter the password EVERY TIME THE SERVER RESTARTS and that's not the point
[editline]10th March 2017[/editline]
[QUOTE=JamesScott;51941084]Yes you should, think about how many users are going to put their password (which may be used for everything) into this system. That gives the server owner all those passwords and if he wants to fuck with a player it wouldn't be hard to do if they have their email from a forum software.[/QUOTE]
You completely don't understand there is ONE user putting in a password that is the server owner.
[QUOTE=BlackVoid;51941058]Yes, that's what I've been saying the entire time, however Nookyava has been arguing that it's bad practice.[/QUOTE]
I have never once said that. Show where, or stop bringing it up. It's that simple.
[QUOTE=Nookyava;51941215]I have never once said that. Show where, or stop bringing it up. It's that simple.[/QUOTE]
[QUOTE=Nookyava;51936083]Why are you storing any password plain like you are here?
[url]https://github.com/XxLMM13xXgaming/gbay/blob/master/lua/gbay/mysql/sv_mysql.lua#L172[/url]
Even if it's just the one user, it's still bad habit.[/QUOTE]
The code linked is to store connection details and a few lines below it loads the connection details to connect to the database.
No. That's him UPDATING the users info in the DATABASE. That's not the connection details.
[editline]10th March 2017[/editline]
I just realized that links to the wrong code link, but regardless my countless posts have stated otherwise.
[QUOTE=Nookyava;51941256]No. That's him UPDATING the users info in the DATABASE. That's not the connection details.
[editline]10th March 2017[/editline]
I just realized that links to the wrong code link, but regardless my countless posts have stated otherwise.[/QUOTE]
Can you describe what connection details is to you if it's not the host, username, password, database and port? Because those are the variables used in the connection string.
[QUOTE=Nookyava;51941256]
I just realized that links to the wrong code link, but regardless my countless posts have stated otherwise.[/QUOTE]
Then this thing was a big misunderstanding, peace?
[quote][url]https://github.com/XxLMM13xXgaming/g...mysql.lua#L172[/url][/quote]
wait wait wait- what the fuck why are you storing db info in the db itself?! what use could there be for it when you already have access to it, this makes no sense just store the db password in a serverside file like the rest of the world. I just don't get this technique.
I'm talking about creating a user login, and storing the password. I need to find the code again, since I'm out eating.
I clearly know that you don't hash database connections details, but why is he storing those details in the database?
[editline]10th March 2017[/editline]
[QUOTE=BlackVoid;51941271]Can you describe what connection details is to you if it's not the host, username, password, database and port? Because those are the variables used in the connection string.
Then this thing was a big misunderstanding, peace?[/QUOTE]
Yea, peace. Was just my poor links, and us not understanding each other.
[QUOTE=Lunaversity;51941277]wait wait wait- what the fuck why are you storing db info in the db itself?! what use could there be for it when you already have access to it, this makes no sense just store the db password in a serverside file like the rest of the world. I just don't get this technique.[/QUOTE]
He is storing the connection details to a mysql server in garrysmod's sqlite database (sv.db), probably not the most elegant way to solve the issue.
[QUOTE=BlackVoid;51941299]He is storing the connection details to a mysql server in garrysmod's sqlite database (sv.db), probably not the most elegant way to solve the issue.[/QUOTE]
that's seriously dumb, what's the problem with using a serverside mysql config file like everyone else?
[QUOTE=Lunaversity;51941277]wait wait wait- what the fuck why are you storing db info in the db itself?! what use could there be for it when you already have access to it, this makes no sense just store the db password in a serverside file like the rest of the world. I just don't get this technique.[/QUOTE]
He probably has an in-game function to ask the user to input the DB connection details. Don't know why he'd do it this way, but if it works then why not...
Yes, it's not the way many people do it, and it may be like 100 ms slower
[QUOTE=Heracles421;51941313]He probably has an in-game function to ask the user to input the DB connection details. Don't know why he'd do it this way, but if it works then why not...
Yes, it's not the way many people do it, and it may be like 100 ms slower[/QUOTE]
It seems more complex and unessisary to do that other than have something build an easy config file.
What happens if someone needs to edit their mysql info? Will they have to download their sv.db -> sql view it -> change it -> place it back on the server?
I mean it's an interesting way of doing it
It's to make ALL ingame configuration and you guys need to read what I said the ONLY password stored is the password for the tmysql4 datatbase and it is stored in the gmod default database so the user does not have to enter it in every time.
I meant to post this the other day but never got around to it:
Your code is still SQL injectable. You call GBayEscapeString on net.ReadTable() which will just return the table. The code you grab from those tables are then injectable.
Wow this is really great, one of your best addons :)
[QUOTE=Derek_SM;51943157]I meant to post this the other day but never got around to it:
Your code is still SQL injectable. You call GBayEscapeString on net.ReadTable() which will just return the table. The code you grab from those tables are then injectable.[/QUOTE]
Will be coming out with a fix asap
[editline]11th March 2017[/editline]
[QUOTE=Reformed;51943253]Wow this is really great, one of your best addons :)[/QUOTE]
Thanks!
[URL="https://github.com/XxLMM13xXgaming/gbay/blob/a76c710bf3bb14b2f2fc0f9e2c263b854afd4868/lua/gbay/core/sv_core.lua#L20"]why[/URL]
[URL="https://github.com/XxLMM13xXgaming/gbay/blob/a76c710bf3bb14b2f2fc0f9e2c263b854afd4868/lua/gbay/core/sv_core.lua#L128"]why?[/URL]
[URL="https://github.com/XxLMM13xXgaming/gbay/blob/master/lua/gbay/core/sv_core.lua#L282"]why??[/URL]
[URL="https://github.com/XxLMM13xXgaming/gbay/blob/master/lua/gbay/entity/sv_entity.lua#L10"]why??[/URL]
[URL="https://github.com/XxLMM13xXgaming/gbay/blob/master/lua/gbay/shipment/sv_shipment.lua#L10"]WHY???[/URL]
[URL="https://github.com/XxLMM13xXgaming/gbay/blob/8496b9f8961ab015f3f5cd6e229d88da4737eaaa/lua/gbay/service/sv_service.lua#L90"]json[/URL]
[URL="https://github.com/XxLMM13xXgaming/gbay/blob/8496b9f8961ab015f3f5cd6e229d88da4737eaaa/lua/gbay/service/sv_service.lua#L107"]json?[/URL]
[URL="https://github.com/XxLMM13xXgaming/gbay/blob/8496b9f8961ab015f3f5cd6e229d88da4737eaaa/lua/entities/gbay_mail/init.lua#L257"]json??[/URL]
[URL="https://github.com/XxLMM13xXgaming/gbay/blob/a76c710bf3bb14b2f2fc0f9e2c263b854afd4868/lua/gbay/core/sv_core.lua#L724"]JSON???[/URL]
[URL="https://github.com/XxLMM13xXgaming/gbay/blob/master/lua/gbay/mysql/sv_mysql.lua#L205"]what happens if im a skid and want to spam this or dont want my shit tracked[/URL]
Your code is complete shit. Only one obvious SQL injection this time too!
Your menu and idea is pretty cool though. Try to make the code for this addon not shit before releasing another maybe?
[QUOTE=StonedPenguin;51943543][URL="https://github.com/XxLMM13xXgaming/gbay/blob/a76c710bf3bb14b2f2fc0f9e2c263b854afd4868/lua/gbay/core/sv_core.lua#L20"]why[/URL]
[URL="https://github.com/XxLMM13xXgaming/gbay/blob/a76c710bf3bb14b2f2fc0f9e2c263b854afd4868/lua/gbay/core/sv_core.lua#L128"]why?[/URL]
[URL="https://github.com/XxLMM13xXgaming/gbay/blob/master/lua/gbay/core/sv_core.lua#L282"]why??[/URL]
[URL="https://github.com/XxLMM13xXgaming/gbay/blob/master/lua/gbay/entity/sv_entity.lua#L10"]why??[/URL]
[URL="https://github.com/XxLMM13xXgaming/gbay/blob/master/lua/gbay/shipment/sv_shipment.lua#L10"]WHY???[/URL]
[URL="https://github.com/XxLMM13xXgaming/gbay/blob/8496b9f8961ab015f3f5cd6e229d88da4737eaaa/lua/gbay/service/sv_service.lua#L90"]json[/URL]
[URL="https://github.com/XxLMM13xXgaming/gbay/blob/8496b9f8961ab015f3f5cd6e229d88da4737eaaa/lua/gbay/service/sv_service.lua#L107"]json?[/URL]
[URL="https://github.com/XxLMM13xXgaming/gbay/blob/8496b9f8961ab015f3f5cd6e229d88da4737eaaa/lua/entities/gbay_mail/init.lua#L257"]json??[/URL]
[URL="https://github.com/XxLMM13xXgaming/gbay/blob/a76c710bf3bb14b2f2fc0f9e2c263b854afd4868/lua/gbay/core/sv_core.lua#L724"]JSON???[/URL]
[URL="https://github.com/XxLMM13xXgaming/gbay/blob/master/lua/gbay/mysql/sv_mysql.lua#L205"]what happens if im a skid and want to spam this or dont want my shit tracked[/URL]
Your code is complete shit. Only one obvious SQL injection this time too!
Your menu and idea is pretty cool though. Try to make the code for this addon not shit before releasing another maybe?[/QUOTE]
I guess I don't understand what's wrong with all the whys and jsons and for the stat tracker my website has some checks and if iy don't want it remove it I don't care
Maybe if you were more helping instead uo sending me random lines it would actually help me because I see no issues
[QUOTE=XxLMM13xXx;51944120]I guess I don't understand what's wrong with all the whys and jsons and for the stat tracker my website has some checks and if iy don't want it remove it I don't care
Maybe if you were more helping instead uo sending me random lines it would actually help me because I see no issues[/QUOTE]
why loop through every ent, just use ent:FindByClass
With the JSON table stuff what he's saying is you're not using a database correctly. The whole point of a database is to store data so setting it to a string which stores JSON defeats the purpose entirely.
[QUOTE=TheVingard;51944195]why loop through every ent, just use ent:FindByClass[/QUOTE]
Completely forgot about that function:( will update when I can
[QUOTE=Banana Lord.;51944204]With the JSON table stuff what he's saying is you're not using a database correctly. The whole point of a database is to store data so setting it to a string which stores JSON defeats the purpose entirely.[/QUOTE]
I see but I thought it was easier to just store using json
[QUOTE=XxLMM13xXx;51944283]I see but I thought it was easier to just store using json[/QUOTE]
Easier != correct or most efficient
I can't imagine how much of a disaster the world would be if people did everything the easy way instead of the correct way.
When i start the server and i join the server i fill my mysql login things in the tab an when i press on Submit MySQL Info then nothing happen nothing i thing i habe mysqloo and tmysql4 but im not sure pls help
[QUOTE=StonedPenguin;51943543]Only one obvious SQL injection this time[/QUOTE]
[URL="https://github.com/XxLMM13xXgaming/gbay/issues/1"]https://github.com/XxLMM13xXgaming/gbay/issues/1[/URL]
More than that.
[QUOTE]How to find:
Search anywhere for GBayEscapeString(net.ReadTable()). String values received inside the table don't get sanitized.[/QUOTE]
If the solution to this is a function that can be exploited through circular referencing then I'm not sure there's any hope
I agree that this is a neat idea and all, but ideas are only good if the creator actually [URL="https://facepunch.com/showthread.php?t=1517074"]learns from past mistakes[/URL] and avoids making them again...
[B]EDIT:[/B] all the injection points raised in the issue were patched
Sorry, you need to Log In to post a reply to this thread.
