20.02.2014, 03:32
Hi,
I did a cmd to permit to a user to change his own password IG. And I wanted to know if it's possible for someone to do a SQL Injection into my server. This is my cmd:
I read that %e is escaped string and normally it's safe to use. But I wanted to be sure. Thank you.
Ps: For my register system, I've got the same question:
Cause here I'm using '%s' for the password, but should I use %e ?
Thank you 
I did a cmd to permit to a user to change his own password IG. And I wanted to know if it's possible for someone to do a SQL Injection into my server. This is my cmd:
Код:
CMD:changermdp(playerid, params[])
{
new mdp[129], query[256];
if(sscanf(params,"s[33]", mdp)) return SendClientMessage(playerid, Gris, "Usage: /changermdp [Mot de Passe]");
if(strlen(mdp) > 24 || strlen(mdp) < 6) return SendClientMessage(playerid, Gris, "Votre mot de passe doit faire entre 6 et 24 caractиres.");
WP_Hash(mdp, 129, mdp);
mysql_format(mysql, query, sizeof(query), "UPDATE `joueurs` SET `Password`='%e' WHERE `ID`=%d ", mdp, pInfo[playerid][ID]);
mysql_tquery(mysql, query, "", "");
SendClientMessage(playerid, Jaune, "Votre mot de passe a bien йtй changй.");
return 1;
}
Ps: For my register system, I've got the same question:
Cause here I'm using '%s' for the password, but should I use %e ?
Код:
mysql_format(mysql, query, sizeof(query), "INSERT INTO `joueurs` (`Username`, `Password`, `IP`,`DerniereIP`, `Admin`, `VIP`, `Argent`, `Banque`, `posX` ,`posY`, `posZ`, `Interieur`, `World`, `Skin`, `Niveau`, `DateInscription`, `Bannis`, `Vie`, `Armure` ) VALUES ('%e', '%s', '%s', '%s', 0, 0, 1000, 0, 1527.5634, -1738.9218, 13.5469, 0, 0, 26, 1, '%s', 0, 100, 0)", Name[playerid], pInfo[playerid][Password], IP[playerid], IP[playerid], timeInscription);
mysql_tquery(mysql, query, "", "");