27.03.2014, 16:26
Hi SA-MP.Com , i need help with my sql database , recently someone deleted all the acounts on my server with sql injection, i tried to put this in the gamemode but on the wiki it says that i have to Simply patch any user inputs with the function below. But how ? Im not an expert
For example , i have this stock , how to add db_escape to it ?
Код:
stock DB_Escape(text[])
{
new
ret[MAX_INI_ENTRY_TEXT * 2],
ch,
i,
j;
while ((ch = text[i++]) && j < sizeof (ret))
{
if (ch == '\'')
{
if (j < sizeof (ret) - 2)
{
ret[j++] = '\'';
ret[j++] = '\'';
}
}
else if (j < sizeof (ret))
{
ret[j++] = ch;
}
else
{
j++;
}
}
ret[sizeof (ret) - 1] = '\0';
return ret;
}
Код:
stock ShowTop(playerid, stats[], what[], limit = MAX_TOP_LIMIT)
{
//--------------------------------------------------------------------------
new Speed = GetTickCount(), DialString[3_000], String[2][128],
Query[2][256], DBResult:Result1, DB:g_dbKeptAlive, what2[30];
g_dbKeptAlive = db_open("Accounts.db");
//--------------------------------------------------------------------------
format(Query[0], 256, "SELECT `name` FROM `users` ORDER BY `%s` *1 DESC limit %d", stats, limit);
Result1 = db_query(g_dbKeptAlive, Query[0]);
//--------------------------------------------------------------------------
if(!strcmp(what, "Kills")) what2 = "Kills";
else if(!strcmp(what, "Hours")) what2 = "Hours";
else if(!strcmp(what, "SPoints")) what2 = "Stunt Points";
else if(!strcmp(what, "DriftP")) what2 = "Drift Points";
else if(!strcmp(what, "RaceP")) what2 = "Race Points";
//--------------------------------------------------------------------------
format(DialString, sizeof DialString, "", what2);
for(new Qr; Qr < db_num_rows(Result1); Qr++)
{
db_get_field(Result1, 0, String[0], 128);
format(Query[1], 256, "SELECT `%s` FROM `users` WHERE `Name` = '%s'", stats, String[0]);
new DBResult:Result2 = db_query(g_dbKeptAlive, Query[1]);
db_get_field(Result2, 0, String[1], 128);
//----------------------------------------------------------------------
if(!strcmp(stats, "Kills")) format(DialString, sizeof DialString,
"%s\n{00FF00}%d. {CCCCCC}%s: {FF0000}%s Kills", DialString, Qr+1, String[0], String[1]/*FormatNumber(strval(String[1]))*/);
//----------------------------------------------------------------------
else if(!strcmp(stats, "Hours")) format(DialString, sizeof DialString,
"%s\n{00FF00}%d. {CCCCCC}%s: {FF0000}%s Hours", DialString, Qr+1, String[0], String[1]/*FormatNumber(strval(String[1]))*/);
//----------------------------------------------------------------------
else if(!strcmp(stats, "SPoints")) format(DialString, sizeof DialString,
"%s\n{00FF00}%d. {CCCCCC}%s: {FF0000}%s Stunt Points", DialString, Qr+1, String[0], String[1]/*FormatNumber(strval(String[1]))*/);
//----------------------------------------------------------------------
else if(!strcmp(stats, "DriftP")) format(DialString, sizeof DialString,
"%s\n{00FF00}%d. {CCCCCC}%s: {FF0000}%s Drift Points", DialString, Qr+1, String[0], String[1]/*FormatNumber(strval(String[1]))*/);
//----------------------------------------------------------------------
else if(!strcmp(stats, "RaceP")) format(DialString, sizeof DialString,
"%s\n{00FF00}%d. {CCCCCC}%s: {FF0000}%s Race Points", DialString, Qr+1, String[0], String[1]/*FormatNumber(strval(String[1]))*/);
//----------------------------------------------------------------------
db_next_row(Result1);
db_free_result(Result2);
}
db_free_result(Result1);
db_close(g_dbKeptAlive);
format(DialString, sizeof DialString, "%s\n\n{CCFF66}The players with most points will apear here!\n{CCFF66}It is a honor to apear here!", DialString, GetTickCount() - Speed);
ShowPlayerDialog( playerid, 123, DIALOG_STYLE_MSGBOX, "{CCFF66}Top 10 players, DialString, "Close", "");
return 1;
}