OSX 10.11.6
Version 277d7e2 (2016-06-30)

Just searching for a word yields no results but putting percent signs around it (%asshole%) let me find what I was looking for.
I feel this is correct as this is a direct SQL query you're executing and it is searching for messages that are exactly "asshole" vs containing it.

If you think we should change it to default %$MESSAGE% I wouldn't oppose, but I don't this to be "broken"
Sure, that'd be more clear
Wait they can put in raw data to the query? We need to check this for
injection attacks to make sure they can't take over a server.
On Mon, Oct 10, 2016, 5:48 PM JineteDV [email protected] wrote:
Sure, that'd be more clear
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/Cockatrice/Cockatrice/issues/2211#issuecomment-252755339,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAA5NE_Ag50Btphv8lIiGDsx17CEb6Tyks5qyrKzgaJpZM4KS-Zc
.
An explanation to the user should be added as well, what they can input and how to work with different queries.
Wait they can put in raw data to the query? We need to check this for injection attacks to make sure they can't take over a server.
The code uses prepared statements. It should be safe.
The code uses prepared statements. It should be safe.
Probably still worth a check...
Wait they can put in raw data to the query?
A '%' is a normal character, but has a special meaning when the mySQL query is comparing items using the LIKE operator:
With LIKE you can use the following two wildcard characters in the pattern:
% matches any number of characters, even zero characters.
_ matches exactly one character.
(source: http://dev.mysql.com/doc/refman/5.7/en/string-comparison-functions.html)
Probably still worth a check...
The code uses prepared statements. It _is_ safe against sql injections.
Yep, that's all I wanted to check. This is still fairly awful since they
can do a crappy query that can't be indexed
On Mon, Oct 17, 2016, 11:59 AM ctrlaltca [email protected] wrote:
Wait they can put in raw data to the query?
A '%' is a normal character, but has a special meaning when the mySQL
query is comparing items using the LIKE operator:With LIKE you can use the following two wildcard characters in the pattern:
% matches any number of characters, even zero characters.
_ matches exactly one character.(source:
http://dev.mysql.com/doc/refman/5.7/en/string-comparison-functions.html)Probably still worth a check...
The code uses prepared statements. It _is_ safe against sql injections.
—
You are receiving this because you commented.Reply to this email directly, view it on GitHub
https://github.com/Cockatrice/Cockatrice/issues/2211#issuecomment-254250641,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAA5NBbBDGebab60XsmpSa_UG00hsgu1ks5q05tagaJpZM4KS-Zc
.
The log query in general was originally designed to validate the legitimacy of a user reporting behavior (small short queries). It clearly wasn't thought through for doing queries to find offending players. In-fact in times I want to do those type of queries I actually setup a copy of the database on a box that wont affect players since the load on the DB can be pretty high. Improvement on something like this would be awesome :)
I think the idea @Daenyth originally had for changing the color of the players user list background was designed for something more in respect to finding "bad" users.
Ideally we could split the code so that the db query portion could be
replaced with a lucene search over logs or something. I think the log
search stuff wasn't really designed all that much
On Mon, Oct 17, 2016 at 2:47 PM woogerboy21 [email protected]
wrote:
The log query in general was originally designed to validate the
legitimacy of a user reporting behavior (small short queries). It clearly
wasn't thought through for doing queries to find offending players. In-fact
in times I want to do those type of queries I actually setup a copy of the
database on a box that wont affect players since the load on the DB can be
pretty high. Improvement on something like this would be awesome :)—
You are receiving this because you commented.Reply to this email directly, view it on GitHub
https://github.com/Cockatrice/Cockatrice/issues/2211#issuecomment-254297308,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAA5NJGU4rTVW4r3M3PXN6vxGxj7kAsWks5q08LcgaJpZM4KS-Zc
.
@Daenyth Text file Log searching is a terrible idea. Not to mention logging most the time is disabled since there is no real logging level implemented and it puts a considerable strain on the disks to write out every game event / action and server level message that happens.
The logging code of the server could use some over haul. The core functions for writting / recording the logs is fine. We could use log verbosity settings.
Related to #2487
Most helpful comment
Wait they can put in raw data to the query? We need to check this for
injection attacks to make sure they can't take over a server.
On Mon, Oct 10, 2016, 5:48 PM JineteDV [email protected] wrote: