sql injection
#2

http://en.wikipedia.org/wiki/SQL_injection

When a player can input, let's say a name, in a query via in-game, they can (if they get lucky) to ruin your database. An example would be, we want to select the best time in a race and we have to input the race's name. If someone does not escape the queries, I can just do:
pawn Код:
SELECT record FROM races WHERE name='SF Drag';DROP TABLE users;
and if you have a table named "users" - you got big problems.

--

Always use '%e' to any string you pass in a query and you'll be safe.
Reply


Messages In This Thread
sql injection - by iBots - 17.04.2015, 12:03
Re: sql injection - by Konstantinos - 17.04.2015, 12:10
Re: sql injection - by iBots - 17.04.2015, 12:25
Re: sql injection - by Lordzy - 17.04.2015, 12:48

Forum Jump:


Users browsing this thread: 1 Guest(s)