SQL Injection
#1

I have just found out about the mysql escape string thing.
I am worried about these SQL injections on the future if some amateur bullshit attempts to do a SQL Injection to the server once they found out how the query works.

When am i gonna use the mysql escape string? Shall i place it in every query which has to do / deal with strings?
Reply
#2

Please learn how to search:
https://sampwiki.blast.hk/wiki/MySQL#mys..._escape_string
https://sampforum.blast.hk/showthread.php?tid=446040

Quote:

amateur bullshit attempts to do a SQL Injection

It is amateur to not have researched SQL properly to understand these flaws before you begin writing a script which uses SQL frankly. Not sure how you can be frustrated with others when it's a flaw you have caused yourself by a lack of research.
Reply
#3

You should escape every string that has been entered by a player.

Strings that are generated inside your script (like a line of text that could act as a log-entry for record-keeping) normally don't need to be escaped, unless they contain data inputted by a player (like chat).

Example:
Your script could generate a line of text like this: "Player %s has earned $%i", which needs to be added into a log-table.
This line needs to be escaped as it contains a player-name (player-names are inputted by the player himself).
Players could change their name into "DROP TABLE accounts;" and your script would happily delete your table.

Example 2:
Your script could generate a line of text like this: "Total players online: %i".
This text doesn't need to be escaped as there is no user input in that line.
Players can't do anything with this text to corrupt your tables in any way.

Integers and floats never need to be escaped.
Reply
#4

No need to call mysql_escape_string as long as you use mysql_format with %e specifier for escaping the string. The users above already mentioned when you should escape the strings.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)