26.11.2012, 18:05
Looks pretty nice, but I spotted some rather nasty mistakes.
The user input is not escaped, which means if someone says for instance "It's a pencil", the query will fail. (because of the apostrophe).
However, not all people are nice, and someone might say
which would delete the whole table. Even if you do not allow the MySQL user to drop or truncate, someone could still ruin all your data with simple update queries. For instance
would set everyone's score to 0.
Both queries would run just fine, but the database server would interpret that as multiple queries: INSERT INTO rstats_chatmessages VALUES(null, %d, ''); DROP TABLE `rstat_users`; /* , NOW())
The part after /* will be interpreted as comment and therefore omitted.
So I highly recommend you to escape all user input to prevent mysql injections.
Код:
// OnPlayerText format(sMysqlQuery, sizeof(sMysqlQuery), "INSERT INTO rstats_chatmessages VALUES(null, %d, '%s', NOW())", iUserid[playerid], text); mysql_query(sMysqlQuery);
Код:
// OnPlayerCommandText format(sMysqlQuery, sizeof(sMysqlQuery), "INSERT INTO rstats_commands VALUES(null, %d, '%s', NOW())", iUserid[playerid], cmdtext); mysql_query(sMysqlQuery);
However, not all people are nice, and someone might say
Код:
'); DROP TABLE `rstats_users`; /*
Код:
'); UPDATE `rstats_users` SET `score` = 0 WHERE 1; /*
Both queries would run just fine, but the database server would interpret that as multiple queries: INSERT INTO rstats_chatmessages VALUES(null, %d, ''); DROP TABLE `rstat_users`; /* , NOW())
The part after /* will be interpreted as comment and therefore omitted.
So I highly recommend you to escape all user input to prevent mysql injections.