[Lester23]

Hi I'm kinda new to this so I'm asking you people how can I protect my server from sql injections ? I do have a gamemode (just playing with it around) and saw some people talking about sql injections, so I began to get worried a bit

I looked over internet and saw a Injection in /changepass :

Код:

 ', playerMoney = '1' WHERE playerName = 'x' #

, I tried to do it on my server and didn't work, yay. My question is how can someone inject in your DB ? (commands, etc) and yet how do I protect it ? I don't want a tutorial tho, just for general knowledge.

Thank you !!

[Vince]

With SQLIte use %q for strings in format(), with MySQL use %e for strings in mysql_format. That's sufficient. In other languages (e.g. PHP) use prepared queries.

Interactive demo: https://www.codebashing.com/sql_demo

[Lester23]

Yeah... figured out I have %s vulnerability and it crashes my server :S

mind helping me please? I added this below the last #include

I tried to add this static const antisqlinjection[][] = {
"'",
"#",
"`",
"%"
};


and this to public OnDialogResponse, right below public OnDialogResponse(playerid, dialogid, response, listitem, inputtext[])


for(new i; i < sizeof(antisqlinjection); i++)
{
if(strfind(inputtext, antisqlinjection[i], true) != -1)
{
SCM(playerid, COLOR_YELLOW, " There are also allowed characters.");
return 1;
}
}


I can make another thread if needed, but please help :S the compiler just crashes.

[DRIFT_HUNTER]

mysql_real_escape_string or mysql_format with %e for user input strings.