17.04.2015, 12:10
http://en.wikipedia.org/wiki/SQL_injection
When a player can input, let's say a name, in a query via in-game, they can (if they get lucky) to ruin your database. An example would be, we want to select the best time in a race and we have to input the race's name. If someone does not escape the queries, I can just do:
and if you have a table named "users" - you got big problems.
--
Always use '%e' to any string you pass in a query and you'll be safe.
When a player can input, let's say a name, in a query via in-game, they can (if they get lucky) to ruin your database. An example would be, we want to select the best time in a race and we have to input the race's name. If someone does not escape the queries, I can just do:
pawn Код:
SELECT record FROM races WHERE name='SF Drag';DROP TABLE users;
--
Always use '%e' to any string you pass in a query and you'll be safe.