sql injection - Printable Version
+- SA-MP Forums Archive (
https://sampforum.blast.hk)
+-- Forum: SA-MP Scripting and Plugins (
https://sampforum.blast.hk/forumdisplay.php?fid=8)
+--- Forum: Scripting Help (
https://sampforum.blast.hk/forumdisplay.php?fid=12)
+--- Thread: sql injection (
/showthread.php?tid=571254)
sql injection -
iBots - 17.04.2015
I am kinda new to mysql,and i wanna just get info about it,i have read wikipedia about sql injection but could someone explain me a little about it?
by the way,could you tell me if anyone can sql injection my databases?i am using '%e' for names without escaping names and i am hashing the password,and saving other things normally.
Re: sql injection -
Konstantinos - 17.04.2015
http://en.wikipedia.org/wiki/SQL_injection
When a player can input, let's say a name, in a query via in-game, they can (if they get lucky) to ruin your database. An example would be, we want to select the best time in a race and we have to input the race's name. If someone does not escape the queries, I can just do:
pawn Код:
SELECT record FROM races WHERE name='SF Drag';DROP TABLE users;
and if you have a table named "users" - you got big problems.
--
Always use '%e' to any string you pass in a query and you'll be safe.
Re: sql injection -
iBots - 17.04.2015
should i also use %e to texts like textdraw string?in saving and loading
Re: sql injection -
Lordzy - 17.04.2015
It is only necessary to be used while you're inserting them in your queries. Suppose if
text is a field where player can use their own custom text, you'll have to escape it before attaching them with your queries. Other fields or data which doesn't require players to fill doesn't require to be escaped.