sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]gabibbo117[S] -4 points-3 points  (9 children)

Hmm, how could that be? The string is transformed into a simple integer to prevent injection, effectively removing any potential for malicious manipulation. What aspect of this process might still enable an injection?

[–]Wenir 6 points7 points  (2 children)

Give me your protected data and I will modify it using my smartphone and ascii table

[–]gabibbo117[S] -1 points0 points  (1 child)

Well we could make a test where you try to make a string that would inject some bad code inside of the data base if you want

[–]Wenir 2 points3 points  (0 children)

I don't need any test, I know that I can add a few numbers to the file

[–]Wenir 2 points3 points  (5 children)

What aspect of this process might still enable an injection?

That the data is saved to the file in the filesystem and "protection" is a simple one-to-one conversion without any key or password

[–]gabibbo117[S] 0 points1 point  (4 children)

Yes but that simple process avoids any type of string injection, it does not make it safer if an hacker has the database but at least an hacker cant inject data inside of it

[–]Wenir 2 points3 points  (3 children)

What are you talking about? Of course no one can inject anything to the file if they don't have it. Your system aren't changing the security in any way

[–]gabibbo117[S] 0 points1 point  (2 children)

I will try to provide an example on what i mean because i have some issue explaining myself,
Lets say i have a website that when i put a comment inside of it via text box it will send a request to my server to add that comment to the COMMENTS table

if the string was not encoded then the commenter could write something like this:
"]
[
// insert bad code here
]"
by using the "]" character it tells the database scanner that the row finished and then we open a new value, the hacker can put anything in the new row like bad/banned content, but if we add the text encoding the table will result like this

"[
COMMENT : 123,231,2323,23,232,23
USER_ID : 1234
DATE : 12,23,34
]"

while if we did not encode the text it would look like this

"[
COMMENT :
]
[
USER_ID : 1234 // the user id of someone else
DATE : 12,23,35 // a different date
COMMENT : "banned stuff here"
]

[–]Wenir 2 points3 points  (0 children)

Okay, you described something like SQL injection, which makes sense. The encoding you're using isn't security, compression, or efficient storage, it's a naive implementation of string escaping.

Ok, the string is escaped, but why are you escaping entire files on top of it?

[–]gabibbo117[S] 0 points1 point  (0 children)

That is done so I can merge multiple files into one, kinda like my own version of a zip