SA-MP Forums Archive
Help sql injection protection - Printable Version

+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Scripting and Plugins (https://sampforum.blast.hk/forumdisplay.php?fid=8)
+--- Forum: Scripting Help (https://sampforum.blast.hk/forumdisplay.php?fid=12)
+--- Thread: Help sql injection protection (/showthread.php?tid=503059)


Help sql injection protection - wifi123 - 27.03.2014

Hi SA-MP.Com , i need help with my sql database , recently someone deleted all the acounts on my server with sql injection, i tried to put this in the gamemode but on the wiki it says that i have to Simply patch any user inputs with the function below. But how ? Im not an expert

Код:
stock DB_Escape(text[])
{
	new
		ret[MAX_INI_ENTRY_TEXT * 2],
		ch,
		i,
		j;
	while ((ch = text[i++]) && j < sizeof (ret))
	{
		if (ch == '\'')
		{
			if (j < sizeof (ret) - 2)
			{
				ret[j++] = '\'';
				ret[j++] = '\'';
			}
		}
		else if (j < sizeof (ret))
		{
			ret[j++] = ch;
		}
		else
		{
			j++;
		}
	}
	ret[sizeof (ret) - 1] = '\0';
	return ret;
}
For example , i have this stock , how to add db_escape to it ?

Код:
stock ShowTop(playerid, stats[], what[], limit = MAX_TOP_LIMIT)
{
	//--------------------------------------------------------------------------
	new Speed = GetTickCount(), DialString[3_000], String[2][128],
	Query[2][256], DBResult:Result1, DB:g_dbKeptAlive, what2[30];
    g_dbKeptAlive = db_open("Accounts.db");
	//--------------------------------------------------------------------------
	format(Query[0], 256, "SELECT `name` FROM `users` ORDER BY `%s` *1 DESC limit %d", stats, limit);
	Result1 = db_query(g_dbKeptAlive, Query[0]);
	//--------------------------------------------------------------------------
	if(!strcmp(what, "Kills"))              what2 = "Kills";
	else if(!strcmp(what, "Hours")) 		what2 = "Hours";
	else if(!strcmp(what, "SPoints")) 		what2 = "Stunt Points";
	else if(!strcmp(what, "DriftP")) 		what2 = "Drift Points";
	else if(!strcmp(what, "RaceP")) 		what2 = "Race Points";
	//--------------------------------------------------------------------------
	format(DialString, sizeof DialString, "", what2);
	for(new Qr; Qr < db_num_rows(Result1); Qr++)
	{
		db_get_field(Result1, 0, String[0], 128);
		format(Query[1], 256, "SELECT `%s` FROM `users` WHERE `Name` = '%s'", stats, String[0]);
		new DBResult:Result2 = db_query(g_dbKeptAlive, Query[1]);
		db_get_field(Result2, 0, String[1], 128);
		//----------------------------------------------------------------------
		if(!strcmp(stats, "Kills"))             format(DialString, sizeof DialString,
		"%s\n{00FF00}%d. {CCCCCC}%s: {FF0000}%s Kills", DialString, Qr+1, String[0], String[1]/*FormatNumber(strval(String[1]))*/);
		//----------------------------------------------------------------------
		else if(!strcmp(stats, "Hours")) 		format(DialString, sizeof DialString,
		"%s\n{00FF00}%d. {CCCCCC}%s: {FF0000}%s Hours", DialString, Qr+1, String[0], String[1]/*FormatNumber(strval(String[1]))*/);
		//----------------------------------------------------------------------
		else if(!strcmp(stats, "SPoints")) 		format(DialString, sizeof DialString,
		"%s\n{00FF00}%d. {CCCCCC}%s: {FF0000}%s Stunt Points", DialString, Qr+1, String[0], String[1]/*FormatNumber(strval(String[1]))*/);
		//----------------------------------------------------------------------
		else if(!strcmp(stats, "DriftP")) 		format(DialString, sizeof DialString,
		"%s\n{00FF00}%d. {CCCCCC}%s: {FF0000}%s Drift Points", DialString, Qr+1, String[0], String[1]/*FormatNumber(strval(String[1]))*/);
		//----------------------------------------------------------------------
		else if(!strcmp(stats, "RaceP")) 		format(DialString, sizeof DialString,
		"%s\n{00FF00}%d. {CCCCCC}%s: {FF0000}%s Race Points", DialString, Qr+1, String[0], String[1]/*FormatNumber(strval(String[1]))*/);
		//----------------------------------------------------------------------
		db_next_row(Result1);
		db_free_result(Result2);
	}
	db_free_result(Result1);
    db_close(g_dbKeptAlive);
	format(DialString, sizeof DialString, "%s\n\n{CCFF66}The players with most points will apear here!\n{CCFF66}It is a honor to apear here!", DialString, GetTickCount() - Speed);
	ShowPlayerDialog( playerid, 123, DIALOG_STYLE_MSGBOX, "{CCFF66}Top 10 players, DialString, "Close", "");
	return 1;
}