Support thread for DevQuest contest |
2/15/2022 3:51:16 PM |
| General Tips and Tricks | |
admin
This is a support thread for DevQuest contest where we will be posting occasional tips. You can discuss the DevQuest related topics here but NO SPOILERS. |
|
|
A
|
Arkie 2/15/2022 |
|
huh? I abswered a phone, but no one responded... In other words, I have no idea what to do. I see a question which implies a yes or no answer, but that ain;t the answer? I ain't got time for foolishness. Count me out. |
|
|
|
admin 2/15/2022 |
|
@Arkie, "sources" <-> "view page source". Check the first useful link in "What if need help?" section in the blog post. |
|
|
S
|
swanside 2/15/2022 |
|
Stuck on 7 :( |
|
|
D
|
david22585 2/15/2022 |
|
I'm stuck on 8 and I wish I could help you with 7. I'm only stuck on 8, as I keep getting a cloudflare Error 524. You Chicago xlinesoft.com Now I have this: HTTP Error 500.0 - Internal Server Error |
|
|
|
admin 2/15/2022 |
|
Congratulations to all who made it that far. The website is operational at the moment, probably was overloaded a bit. |
|
|
M
|
Mario Iván Bredicce 2/15/2022 |
|
It was very funny, thanks all the team of Xlinesoft !!! |
|
|
S
|
swanside 2/16/2022 |
|
Yep, Up to 8 now |
|
|
|
admin 2/16/2022 |
|
Step 1 hint "Source" = page source.
See anything interesting there, at the very beginning? |
|
|
|
admin 2/16/2022 |
|
Step 2 hint "consolation" = "console" Press F12 to open Developer Tools. See anything console-ish there?
|
|
|
S
|
swanside 2/16/2022 |
|
That was good. Lernt a bit from that also :) |
|
|
D
|
david22585 2/16/2022 |
|
Welp, I tried everything I could think of for 8. Can't figure out how to escape the like clause to make a new statement. This is why I'm a professiona amateur. lol. I was on a roll with 1-7 too. |
|
|
|
admin 2/17/2022 |
|
@david22585, not bad for an amateur! With SQL injection I can suggest an approach like this. First of all, it prints the current SQL where your input is highlighted. Right down the SQL that you start with, when you just enter war. Then try to write down you ideal SQL query that you think will produce the results you need. Write them both down next to each other and this will give you an idea what you need to use instead of war. If nothing helps - post both queries here and we'll provide more tips. SQL injection is not something that you normally need to deal with on this level but it is a sort of a fun exercise. |
|
|
D
|
david22585 2/17/2022 |
|
@admin I tried. I've built a huge program using PHPRunner and learned a lot. While what we use is internal, I never knew about SQL injection until recently, and am now in the process of changing everything over to DB API PrepareSQL. But here is what I got: Original query: What I want it to look like: Since it doesn't work, I will provide what I put into the answer, which only gives me blank results. I wil remove it if you want it taken off: |
|
|
|
admin 2/17/2022 |
|
I will highlight the input part of the initial query: SELECT * from books where owner='Mike' and bookname like '%war%' So, you are thinking in the direction and the following query would work, but ... The problem is that %' will be added to any input string and you won't be able to make the query end with owner='Pete'. No matter what, it will end with %'. But, you can use other comparison operators as like. You can see how it works studying the original query. % is a wildcard character in like WHERE clause. So you should be aiming for your query to end with something like this: I hope it makes sense. |
|
|
D
|
david22585 2/17/2022 |
|
@admin That does make sense! Got it, and thanks for the fun! |
|
|
S
|
swanside 2/17/2022 |
|
On 8 I didnt use a query like that, Sorry wil DM admin :) |
|