sql injection
#1

I am kinda new to mysql,and i wanna just get info about it,i have read wikipedia about sql injection but could someone explain me a little about it?
by the way,could you tell me if anyone can sql injection my databases?i am using '%e' for names without escaping names and i am hashing the password,and saving other things normally.
Reply
#2

http://en.wikipedia.org/wiki/SQL_injection

When a player can input, let's say a name, in a query via in-game, they can (if they get lucky) to ruin your database. An example would be, we want to select the best time in a race and we have to input the race's name. If someone does not escape the queries, I can just do:
pawn Код:
SELECT record FROM races WHERE name='SF Drag';DROP TABLE users;
and if you have a table named "users" - you got big problems.

--

Always use '%e' to any string you pass in a query and you'll be safe.
Reply
#3

should i also use %e to texts like textdraw string?in saving and loading
Reply
#4

It is only necessary to be used while you're inserting them in your queries. Suppose if text is a field where player can use their own custom text, you'll have to escape it before attaching them with your queries. Other fields or data which doesn't require players to fill doesn't require to be escaped.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)