[Sanya4]

Theoretically, can a name be used in injection if it contains only(usual name):

Код:

0-9, a-z, A-Z, [], (), $ @ . _ and = only

for example, query:

PHP код:

format(query, sizeof(query), "INSERT INTO `History` (`SomeName`) VALUES ('%s')", name);//name - got with GetPlayerName 
mysql_tquery(mysql, query, "", 0); 


[Meller]

Use

Quote:

mysql_format(MySQL:handle, output[], len, format[], {Float,_}:...) https://sampwiki.blast.hk/wiki/MySQL#mysql_format

Using %e instead of %s.

Or you can either use

Quote:

mysql_escape_string(const source[], destination[], max_len = sizeof(destination), MySQL:handle = MYSQL_DEFAULT_HANDLE) https://sampwiki.blast.hk/wiki/MySQL#mysql_escape_string

[Sanya4]

Quote:

Originally Posted by Meller Use Using %e instead of %s. Or you can either use ...

1. Actually it's C-code, it means you cannot use %e(limited API):

PHP код:

char query[300];
snprintf(query, sizeof(query), "INSERT INTO `History` (`SomeName`) VALUES ('%s')", name);//name - got with GetPlayerName  
mysql_tquery(mysql, query, "", 0); 


2. I have asked there's a way to inject, not to prevent by any ways.
3. I haven't found any ways, so using mysql_real_escape_string is useless then for game names.

[Meller]

Whatever, don't prevent it then. I can't be bothered if your server gets an SQL injection because you thought you were being smart with not protecting user-inserted queries.

[Spmn]

Quote:

Originally Posted by Sanya4 1. Actually it's C-code, it means you cannot use %e(limited API): PHP код: char query[300]; snprintf(query, sizeof(query), "INSERT INTO `History` (`SomeName`) VALUES ('%s')", name);//name - got with GetPlayerName   mysql_tquery(mysql, query, "", 0);  2. I have asked there's a way to inject, not to prevent by any ways. 3. I haven't found any ways, so using mysql_real_escape_string is useless then for game names.

You're mixing SA-MP PAWN and C.
SA-MP format() introduces %q specifier which escapes strings using sqlite engine.
Also, there is mysql_format() where you can actually use %e as pointed before.

Escaping names may be useless now, but what if in a next SA-MP version there will be more allowed characters for nicknames? You'll have to look through entire gamemode and escape all nicks. So why not just escape them from the beginning?

[Sanya4]

Quote:

Originally Posted by Meller Whatever, don't prevent it then. I can't be bothered if your server gets an SQL injection because you thought you were being smart with not protecting user-inserted queries.

Are you really st**id? I've asked there's a way. You've answered "use this way". Please learn to read. It's not user-inserted query, it's a game name with limitation. You're saying it's possible even if you don't know what you're saying about, piece of s***.

[Sanya4]

Quote:

Originally Posted by Spmn Escaping names may be useless now, but what if in a next SA-MP version there will be more allowed characters for nicknames? You'll have to look through entire gamemode and escape all nicks. So why not just escape them from the beginning?

Solved. Closed.

[Sithis]

Quote:

Originally Posted by Sanya4 Are you really st**id? I've asked there's a way. You've answered "use this way". Please learn to read. It's not user-inserted query, it's a game name with limitation. You're saying it's possible even if you don't know what you're saying about, piece of s***.

Learn some respect kid. A player name is a form of user input by definition.

What if someone joins with the name ; DROP DATABASE your_db_name?

I'd be more than happy to play on your server with that name, if you can still use your database after I join