Dawn of Light

Well, I guess everyone of us encountered it , the moment when you would love to change some spell, style or anything in the DB but you can't because you aren't at your PC at home, don't know your login or are just to lazy to switch to desktop.

Thats why I wrote this new command, basicly it just lets you load a DB entry and edit it.
Right now I only added a few DBs but more can be added easily because it hardly uses any hardcoded stuff, to add a different DB just add it to the switch with the other DBs and you are done.

The command hasn't been used by anyone except myself, thus I am sorry if it's a bit hard to understand.

Good job, this could be an excellent contribution to the SVN also. I haven't reviewed the code full yet, will do that + test later. Wait for one of the developers to see this and they can decide.

Again, Nice job

Ho, interesting. Well for item, this is duplicate with /item command.

The proper way to edit style is to build a focused /xxx command (such as /mob, /item and as you suggest /spell or /style). I'll dig it and test it to better evaluate it.

Thank you for the contribution, you're welcome !

Interesting. On Uthgard we use a similar system which is based on reflection and the use of an [Editable] attribute on the DB class to be able to alter itemtemplates in a more generic way. A nice use is also that you can use enum names instead numbers eg for damage type.

Ho, interesting. Well for item, this is duplicate with /item command.

The proper way to edit style is to build a focused /xxx command (such as /mob, /item and as you suggest /spell or /style).

Ok, for the item it's only in because i had to test it with different DBs, and then i didnt feel the urge to get rid of it.

About the focused /xxx command:
For mob you might be right, because you change more then just the DB values for a mob.
But for everything else like the spell, you only change the DB valuesm like spellid or spelleffect. Thats why making a new command for everything would be a bit overkill in my opinion, especially cuz you could add any DB (and change any DB layout) and it would always work, like the linexspell or spellline DB, they only consist of 3-4 values creating a new command for each of those wouldnt make that much sense, but well you are the Project Leader so its for you to decide.

Got only a quicklook at your command, and your arguments are valuables

I can't tell you if it 'll go to the core or rather in user files - need to dig it a little - but i really appreciate the effort and the sharing !

Thumbs up and thank you !

Nice, I tested it and it works nice

Now all we need is a way to reload spells in game , and they are updated for everyone ingame on the next cast, like Uthgard has !

Uploaded new version with ability to search the DB and create new entries.

About reloading: you can basicly use the SkillBase.LoadSpells() and LoadSpellLines(). but to make it save you should add some locks in those methods

Niceeeeee I got it working that's very very useful thanks.

Take /edit

add 1 GM who is not so trustworthy

stir in some SQL injection

say goodbye to DB.

Please use this with care. It is restricted to admin, which is good, but I would also escape any data passed in.

Code: Select all

sp = new List<DataObject>(GameServer.Database.SelectObjects<DBSpell>("SpellID like '" + args[3] + "'"));

You can format an /edit command to inject SQL

Code: Select all

sp = new List<DataObject>(GameServer.Database.SelectObjects<DBSpell>("SpellID like '" + args[3].Replace(';', '') + "'"));

Now you can't.

As a rule never ever allow text from the user to make it unmodified to the DB.

Well, thanks for that. I never used mysql till now thus Iam pretty new to this.
Changed it and uploaded.

About the GM part, any GM who is not so trustworthy and uses this command can mess up the whole DB, or just change a spell that nobody uses to a much higher value and thus mod players. Thats why I basicly made it Admin only.

You can format an /edit command to inject SQL

Code: Select all

sp = new List<DataObject>(GameServer.Database.SelectObjects<DBSpell>("SpellID like '" + args[3].Replace(';', '') + "'"));

Now you can't.

As a rule never ever allow text from the user to make it unmodified to the DB.

It's not the really good way, I can use this command*:

Code: Select all

/edit spell "' UNION (SELECT Name, Password FROM Account WHERE PrivLevel >= 3) -- p"

And I don't need to use character ";" so you need to disallow the character "'" (single quote). The best way is:

Code: Select all

sp = new List<DataObject>(GameServer.Database.SelectObjects<DBSpell>("SpellID like '" + GameServer.Database.Escape(args[3]) + "'"));

(or something like this)
And the bonus with this, you can use: "/edit spell "Mob's spell" without any DB error because the character "'" will be escaped with "\'".


* This example don't work but you don't need to add many thing to exploit this SQL injection.

I see you are all pretty much worried about getting !@#$% up by someone, well as soon as you give anyone admin level he has the code command - thus giving him the ability to write almost anything and execute it, as well as he already has the plvl command. But, well I see what you are at: what if someone wants to hand this command to some of his GMs, thats why I updated it and I guess everyone should be fine now.

Thanks for your comments anyway, helped me alot learning about this mysql stuff

It's more preemptive than anything else.

There's a lot of dumb admins out there, and when they get "hacked" they come crying here about it all being DOL's fault. Too dumb to know who to blame. So it's best to offer as much security as possible.

It is true this is an admin command, similar to /code, but while /code can crash your server SQL injection can put an end to it. Dumb admins don't run backups.

That's why dumb admins don't get very far.