SQL Injection. - Printable Version
+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Server (https://sampforum.blast.hk/forumdisplay.php?fid=6)
+--- Forum: Server Support (https://sampforum.blast.hk/forumdisplay.php?fid=19)
+--- Thread: SQL Injection. (/showthread.php?tid=645072)
+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Server (https://sampforum.blast.hk/forumdisplay.php?fid=6)
+--- Forum: Server Support (https://sampforum.blast.hk/forumdisplay.php?fid=19)
+--- Thread: SQL Injection. (/showthread.php?tid=645072)
SQL Injection. - Sanya4 - 19.11.2017
Theoretically, can a name be used in injection if it contains only(usual name):
Код:
0-9, a-z, A-Z, [], (), $ @ . _ and = only
PHP код:
format(query, sizeof(query), "INSERT INTO `History` (`SomeName`) VALUES ('%s')", name);//name - got with GetPlayerName
mysql_tquery(mysql, query, "", 0);
Re: SQL Injection. - Meller - 19.11.2017
Use
Quote:
|
mysql_format(MySQL:handle, output[], len, format[], {Float,_}:...) https://sampwiki.blast.hk/wiki/MySQL#mysql_format |
Or you can either use
Quote:
|
mysql_escape_string(const source[], destination[], max_len = sizeof(destination), MySQL:handle = MYSQL_DEFAULT_HANDLE) https://sampwiki.blast.hk/wiki/MySQL#mysql_escape_string |
Re: SQL Injection. - Sanya4 - 19.11.2017
Quote:
|
Originally Posted by Meller
 Use
Using %e instead of %s. Or you can either use ... |
PHP код:
char query[300];
snprintf(query, sizeof(query), "INSERT INTO `History` (`SomeName`) VALUES ('%s')", name);//name - got with GetPlayerName
mysql_tquery(mysql, query, "", 0);
3. I haven't found any ways, so using mysql_real_escape_string is useless then for game names.
Re: SQL Injection. - Meller - 19.11.2017
Whatever, don't prevent it then. I can't be bothered if your server gets an SQL injection because you thought you were being smart with not protecting user-inserted queries.
Re: SQL Injection. - Spmn - 19.11.2017
Quote:
|
Originally Posted by Sanya4
1. Actually it's C-code, it means you cannot use %e(limited API):
PHP код:
3. I haven't found any ways, so using mysql_real_escape_string is useless then for game names. |
SA-MP format() introduces %q specifier which escapes strings using sqlite engine.
Also, there is mysql_format() where you can actually use %e as pointed before.
Escaping names may be useless now, but what if in a next SA-MP version there will be more allowed characters for nicknames? You'll have to look through entire gamemode and escape all nicks. So why not just escape them from the beginning?
Re: SQL Injection. - Sanya4 - 19.11.2017
Quote:
|
Originally Posted by Meller
Whatever, don't prevent it then. I can't be bothered if your server gets an SQL injection because you thought you were being smart with not protecting user-inserted queries.
|
Re: SQL Injection. - Sanya4 - 19.11.2017
Quote:
|
Originally Posted by Spmn
Escaping names may be useless now, but what if in a next SA-MP version there will be more allowed characters for nicknames? You'll have to look through entire gamemode and escape all nicks. So why not just escape them from the beginning?
|
Re: SQL Injection. - Sithis - 20.11.2017
Quote:
|
Originally Posted by Sanya4
Are you really st**id? I've asked there's a way. You've answered "use this way". Please learn to read. It's not user-inserted query, it's a game name with limitation. You're saying it's possible even if you don't know what you're saying about, piece of s***.
|
What if someone joins with the name ; DROP DATABASE your_db_name?
I'd be more than happy to play on your server with that name, if you can still use your database after I join
