sqlite escape string
#1

Well, i've been trying to learn sqlite. In many tutorials i saw that some strings were passed through DB_Escape function. But in 0.3.7 , i believe theres's a native '%q' operator which does the function of DB_Escape. My question is ,why should strings be escaped and what are the cases where it should be used. I've been using '%q' for all strings in my test script,it works just fine. But i want to know if it's right or wrong.


(I'm just learning sqlite and i want to know if i've been doing things wrong)
Reply
#2

Because every string you send into SQLs are a potential query (even when you are trying to store a string using a query), they can be manipulated to inject into your SQL, inserting data you don't want, retrieving or updating them, leading to many things, worst is losing whole data you got
It's rare in sa-mp, but still better be safe than sorry

As a role of thumb, whenever you want to save any string a player inserted ( user, pass etc.) escape them, it's not necessary to escape what you write in your own pawn code
Reply
#3

You escape a string to avoid SQL Injection.
Reply
#4

Quote:
Originally Posted by PrO.GameR
Посмотреть сообщение
Because every string you send into SQLs are a potential query (even when you are trying to store a string using a query), they can be manipulated to inject into your SQL, inserting data you don't want, retrieving or updating them, leading to many things, worst is losing whole data you got
It's rare in sa-mp, but still better be safe than sorry

As a role of thumb, whenever you want to save any string a player inserted ( user, pass etc.) escape them, it's not necessary to escape what you write in your own pawn code
Rare? If you run a server of any kind of decent size for any extended period of time, you'll find out very quickly that it's not all that rare. Or, you won't find out and you'll just wonder how Jim Jones with 1 playing hours keeps getting $900m.

Worst case here is your database being dumped and posted online. If you don't have some kind of(preferably automatic) backup mechanism in place when your server is of decent size, then you deserve what you get.
Reply
#5

Quote:
Originally Posted by DavidBilla
Посмотреть сообщение
why should strings be escaped
To filter out special characters that the SQL interpreter may read as part of the query rather than part of the string. You will either get an erroneous query or an unexpected result which may prove useful to a hacker. For example the character ' (single quote) is used to denote strings, but if it appears in a string itself it must be escape, for example:
PHP код:
... WHERE name='O'Hare'; 
Would produce an error
PHP код:
... WHERE name='O\'hare'
Would not produce an error.

This is the simple case, but it is also necessary to protect against people who could exploit this by supplying a weird input, like
PHP код:
zrtpqdfgh' OR 1=1; -- 
In which case the unescaped query would look like:
PHP код:
... WHERE name='zrtpqdfgh' OR 1=1; --'; 
That will likely yield the first account in the database which is nearly always the one of the administrator, leading to potentially dangerous situations.

Quote:
Originally Posted by DavidBilla
Посмотреть сообщение
what are the cases where it should be used
Any time you expect user input. That includes dialogs, chat text and command text.
Reply
#6

Quote:
Originally Posted by rymax99
Посмотреть сообщение
Rare? If you run a server of any kind of decent size for any extended period of time, you'll find out very quickly that it's not all that rare. Or, you won't find out and you'll just wonder how Jim Jones with 1 playing hours keeps getting $900m.

Worst case here is your database being dumped and posted online. If you don't have some kind of(preferably automatic) backup mechanism in place when your server is of decent size, then you deserve what you get.
Sa-mp's input texts has way too many limits (chat > 128, name > 24 etc.) to effectively inject an SQL like what you said (getting whole database's data to post it online), also sa-mp's age average is ~15 I'm assuming (more of an observation, probably is wrong) and those don't have enough injection experience/can't make a code injecting and getting 128 chars of data at a time, hence SQL injection in sa-mp is "rare" but not impossible/non-existent
Reply


Forum Jump:


Users browsing this thread: 3 Guest(s)