Is this mysql safe, and proficient?
#1

So I'm starting to learn mysql, I'm a few years late but it's better late than never. How ever I don't know if I've done it the most proficient way, and whether or not it's safe from sql attacks/injections. So it would be appreciated if someone experienced with mysql had a look at it!

Here's how I've done it:
pawn Код:
format(query, sizeof(query), "SELECT * from `fortcarson` WHERE Fullname = '%s' LIMIT 1", GetPlayersName(playerid));
        mysql_tquery(Mysql_users, query, "IsAccountRegistered", "i", playerid);
pawn Код:
forward IsAccountRegistered(playerid);
public IsAccountRegistered(playerid)
{
    new rows, fields, string[256], query[1052];
    cache_get_data(rows, fields, Mysql_users);
   
   
    if(rows) // If account is registered
    {
        mysql_format(Mysql_users, query, sizeof(query), "SELECT * FROM `fortcarson` WHERE `Fullname` = '%e' LIMIT 1", GetPlayersName(playerid));
        mysql_tquery(Mysql_users, query, "Loadplayerdata", "i", playerid);
        format(string, sizeof(string), "{FFFFFF}Hello, %s!\n\nWelcome back to {D69929}Fort Carson{FFFFFF}.\nPlease login with your existing password below.", GetPlayersName(playerid));
        ShowPlayerDialog(playerid, DIALOG_LOGIN, DIALOG_STYLE_PASSWORD, "{FFFFFF}Welcome back to Fort Carson.", string, "Login", "Leave");
    }
    else if(!rows) {
        format(string, sizeof(string), "{FFFFFF}Hello, %s.\n\nWelcome to {D69929}Fort Carson Roleplay!{FFFFFF}\nYour account doesn't seem to exist.\nPlease input a desired password below.", GetPlayersName(playerid));
        ShowPlayerDialog(playerid, DIALOG_REGISTER, DIALOG_STYLE_INPUT, "{FFFFFF}Welcome to Fort Carson.", string, "Register", "Leave");
    }
    return 1;
}
pawn Код:
if(dialogid == DIALOG_LOGIN)
    {
        if(response)
        {
            if(!strlen(inputtext))
            {
                format(string, sizeof(string), "{FFFFFF}Hello, %s!\n\nWelcome back to {D69929}Fort Carson{FFFFFF}.\nPlease login with your existing password below.", GetPlayersName(playerid));
                ShowPlayerDialog(playerid, DIALOG_LOGIN, DIALOG_STYLE_PASSWORD, "{FFFFFF}Welcome back to Fort Carson.", string, "Login", "Leave");
            }
            format(string, sizeof(string), "%s", inputtext);
            WP_Hash(password, sizeof (password), string);
           
            if(!strcmp(password, PlayerData[playerid][Password]))
            {
                if(PlayerData[playerid][Banned] == 1)
                {
                    foreach(Player, i)
                    {
                        if(PlayerData[i][AdminLevel] >=1 )
                        {
                            format(string, sizeof(string), "Admin:{FFFFFF} %s just attempted to log into their banned account.", GetPlayersName(playerid));
                            SendClientMessage(i, COLOR_PALERED, string);
                        }
                    }
                    SendClientMessage(playerid, COLOR_PALERED, "You are currently banned from the server.");
                    format(string, sizeof(string), "Reason:{FFFFFF} %s", PlayerData[playerid][BanReason]);
                    SendClientMessage(playerid, COLOR_PALERED, string);
                    format(string, sizeof(string), "Banned by:{FFFFFF} %s", PlayerData[playerid][BannedBy]);
                    SendClientMessage(playerid, COLOR_PALERED, string);
                    SendClientMessage(playerid, COLOR_WHITE, "You can protest this ban on our forums, just take a screenshot of this.");
                    KickEx(playerid);
                    return 1;
                }
                if(PlayerData[playerid][AdminLevel] == 0)
                {
                    SpawnPlayer(playerid);
                    format(string, sizeof(string), "Welcome back to Fort Carson,{FFFFFF} %s.", GetPlayersName(playerid));
                    SendClientMessage(playerid, COLOR_SERVER, string);
                    gIsPlayerLoggedIn[playerid] = 1;
                }
                else if(PlayerData[playerid][AdminLevel] >= 1)
                {
                    ShowPlayerDialog(playerid, DIALOG_ADMINAUTH, DIALOG_STYLE_INPUT, "Administration Security", "Please enter your Administration Key to continue", "Submit", "Cancel");
                }
                return 1;
            }
            else
            {
                SendClientMessage(playerid, COLOR_PALERED, "Warning:{FFFFFF} That password was incorrect. You have been kicked from the server.");
                KickEx(playerid);
            }
        }
        else
        {
            SendClientMessage(playerid, COLOR_SERVER, "Warning:{FFFFFF} You chose to leave the server.");
            KickEx(playerid);
        }
        return 1;
    }
   
    else if(dialogid == DIALOG_REGISTER)
    {
        if(response)
        {
            if(!strlen(inputtext))
            {
                format(string, sizeof(string), "{FFFFFF}Hello, %s.\n\nWelcome to {D69929}Fort Carson Roleplay!{FFFFFF}\nYour account doesn't seem to exist.\nPlease input a desired password below.", GetPlayersName(playerid));
                ShowPlayerDialog(playerid, DIALOG_REGISTER, DIALOG_STYLE_INPUT, "{FFFFFF}Welcome to Fort Carson.", string, "Register", "Leave");
            }
            format(string, sizeof(string), "%s", inputtext);
            WP_Hash(password, sizeof(password), string);
            format(PlayerData[playerid][Fullname], 126, "%s", GetPlayersName(playerid));
            format(PlayerData[playerid][Password], 129, "%s", password);
            PlayerData[playerid][PositionX] = 155.435546;
            PlayerData[playerid][PositionY] = 1174.296875;
            PlayerData[playerid][PositionZ] = 15.491741;
            PlayerData[playerid][PositionA] = 75.370346;
            PlayerData[playerid][Health] = 100; PlayerData[playerid][Armour] = 0;
            PlayerData[playerid][Interior] = 0; PlayerData[playerid][VirtualWorld] = 0;
            gIsPlayerLoggedIn[playerid] = 1;
            SpawnPlayer(playerid);
            format(string, sizeof(string), "Welcome to Fort Carson,{FFFFFF} %s.", GetPlayersName(playerid));
            SendClientMessage(playerid, COLOR_SERVER, string);
            mysql_format(Mysql_users, query, sizeof(query), "INSERT INTO `fortcarson` (`Fullname`, `Password`, `PositionX`, `PositionY`, `PositionZ`, `PositionA`, `Health` ,`Armour`, `Interior`, `VirtualWorld`) VALUES ('%s', '%s', 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0, 0)", PlayerData[playerid][Fullname], PlayerData[playerid][Password]);
            mysql_tquery(Mysql_users, query, "", "");


        }
        else
        {
            SendClientMessage(playerid, COLOR_SERVER, "Warning:{FFFFFF} You chose to leave the server.");
            KickEx(playerid);
        }
    }

So, have I done it correctly, or can it be improved?
(The actual mysql bits; not any other bits)

Thank you in advance.
Reply
#2

bump
Reply
#3

Instead of using '%s' to insert string into your query, use '%e'. This ecapes the string and avoids any possible MySQL Inject.
Reply
#4

Quote:
Originally Posted by Jacksta21
Посмотреть сообщение
Instead of using '%s' to insert string into your query, use '%e'. This ecapes the string and avoids any possible MySQL Inject.
Okay, thank you for that tip!
Reply


Forum Jump:


Users browsing this thread: