1. To chat with the GameOgre community, you need to have at least 100 posts. Once you have the 100 posts, post at Become A New Ogre
    Dismiss Notice

LA 1.2.2 Released

Discussion in 'Living Avatars' started by confuser, Aug 13, 2011.

  1. confuser

    confuser Big Brute The Pit

    Messages:
    122
    Likes Received:
    0
    Trophy Points:
    16
    Credit:
    50.00
    confuser, Aug 13, 2011
    confuser, Aug 13, 2011
    #1
  2. Insydius

    Insydius Little Spike New Ogre

    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    0
    Credit:
    1,616.00
    Those with LA v2.3.1 Pro won't be able to upgrade to this correct?

    And if you don't mind me asking, by chance what was the security update fix about?
     
    Insydius, Aug 13, 2011
    Insydius, Aug 13, 2011
    #2
  3. confuser

    confuser Big Brute The Pit

    Messages:
    122
    Likes Received:
    0
    Trophy Points:
    16
    Credit:
    50.00
    Correct, this update is only for those with the free version. I have not seen the LA pro files so assuming it is very similar to the current 1.2 then the security fix is within includes/mysql.php
    Within the query() function there is the following code:
    Code:
    $query_string = preg_replace("#{([^}]\S+)}#", PRGM_TABLE_PREFIX . "$1", $query_string);
    That has been replaced with
    Code:
    $find = array(
			'/FROM {(.*?)}/',
			'/INTO {(.*?)}/',
			'/JOIN {(.*?)}/',
			'/UPDATE {(.*?)}/',
			'/CREATE TABLE {(.*?)}/',
			'/SHOW TABLES LIKE \'{(.*?)}\'/',
			'/LEFT JOIN {(.*?)}/'
		);
$replace = array(
			'FROM '.PRGM_TABLE_PREFIX.'$1',
			'INTO '.PRGM_TABLE_PREFIX.'$1',
			'JOIN '.PRGM_TABLE_PREFIX.'$1',
			'UPDATE '.PRGM_TABLE_PREFIX.'$1',
			'CREATE TABLE '.PRGM_TABLE_PREFIX.'$1',
			'SHOW TABLES LIKE \''.PRGM_TABLE_PREFIX.'$1\'',
			'LEFT JOIN '.PRGM_TABLE_PREFIX.'$1'
		);
$query_string = preg_replace($find, $replace, $query_string);
    This eliminates a potential SQL injection

    Insydius, to make this work I had to change some of the queries to use LEFT JOIN so it may not be that easy to apply in the Pro version yourself

    Edit: It appears I actually forgot to include this fix in the zip uploaded, so could you all please redowload it, sorry
     
    confuser, Aug 14, 2011
    confuser, Aug 14, 2011
    #3
  4. Insydius

    Insydius Little Spike New Ogre

    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    0
    Credit:
    1,616.00
    That last edit was pretty ironic, though reposting this definitely was a good way to review the release.

    Anywho, I have the Pro version and since ownership of LA transferred from the original author to you guys, I can give you my copy of the Pro version if you like to look over the files.
     
    Insydius, Aug 14, 2011
    Insydius, Aug 14, 2011
    #4
  5. Admin Post
    ogreman

    ogreman Ogre In Charge Staff Member GameOgre Admin

    Messages:
    52,581
    Likes Received:
    8,872
    Trophy Points:
    113
    Credit:
    196,836.38
    Yes, that would help:).
     
    ogreman, Aug 23, 2011
    ogreman, Aug 23, 2011
    #5
  6. confuser

    confuser Big Brute The Pit

    Messages:
    122
    Likes Received:
    0
    Trophy Points:
    16
    Credit:
    50.00
    Ditto :)

    Sorry I have been inactive for the past few weeks. Had exam results, just got into University so been sorting that all out. Should be back to developing very soon. I am still looking for someone with vb 4.1.5 to test the next version which uses vb's built in user functions etc
     
    confuser, Aug 23, 2011
    confuser, Aug 23, 2011
    #6
  7. Admin Post
    ogreman

    ogreman Ogre In Charge Staff Member GameOgre Admin

    Messages:
    52,581
    Likes Received:
    8,872
    Trophy Points:
    113
    Credit:
    196,836.38
    Ok, sounds good:).
     
    ogreman, Aug 26, 2011
    ogreman, Aug 26, 2011
    #7

Share This Page