SA-MP Forums Archive
sql injection - Printable Version

+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Scripting and Plugins (https://sampforum.blast.hk/forumdisplay.php?fid=8)
+--- Forum: Scripting Help (https://sampforum.blast.hk/forumdisplay.php?fid=12)
+--- Thread: sql injection (/showthread.php?tid=571254)



sql injection - iBots - 17.04.2015

I am kinda new to mysql,and i wanna just get info about it,i have read wikipedia about sql injection but could someone explain me a little about it?
by the way,could you tell me if anyone can sql injection my databases?i am using '%e' for names without escaping names and i am hashing the password,and saving other things normally.


Re: sql injection - Konstantinos - 17.04.2015

http://en.wikipedia.org/wiki/SQL_injection

When a player can input, let's say a name, in a query via in-game, they can (if they get lucky) to ruin your database. An example would be, we want to select the best time in a race and we have to input the race's name. If someone does not escape the queries, I can just do:
pawn Код:
SELECT record FROM races WHERE name='SF Drag';DROP TABLE users;
and if you have a table named "users" - you got big problems.

--

Always use '%e' to any string you pass in a query and you'll be safe.


Re: sql injection - iBots - 17.04.2015

should i also use %e to texts like textdraw string?in saving and loading


Re: sql injection - Lordzy - 17.04.2015

It is only necessary to be used while you're inserting them in your queries. Suppose if text is a field where player can use their own custom text, you'll have to escape it before attaching them with your queries. Other fields or data which doesn't require players to fill doesn't require to be escaped.