03.11.2016, 14:22
so recently i have been getting some crashes and started looking into it , and it seems that players are somehow abusing the /changepass command to crash the server .
if they type in the box %s or anything the server crashes .
I tryed adding strfind for the % symbol but no succes .
I changed the %s parameter from the query to %e
this is the code .
if they type in the box %s or anything the server crashes .
I tryed adding strfind for the % symbol but no succes .
I changed the %s parameter from the query to %e
this is the code .
Код:
if(dialogid == DIALOG_NEWPASS)
{
if(response)
{
new length = strlen(inputtext);
if(length == 0 || length > 15)
{
SendClientMessage(playerid, COLOR_WHITE, "Please enter another password (maximum 15 characters).");
ShowPlayerDialog(playerid, DIALOG_NEWPASS,DIALOG_STYLE_INPUT, "Change password:","Type in box your new password:","Done","Close");
return 1;
}
if(strfind(inputtext,"%")!= -1) return Kick(playerid);
if(strlen(inputtext) > 1 && strlen(inputtext) < 16)
{
new tmppass[64],namee[30],playerip[16];
mysql_real_escape_string(inputtext, tmppass);
strmid(PlayerInfo[playerid][pKey], tmppass, 0, strlen(tmppass), 255);
format(string,sizeof(string),"Your new password is %s.",tmppass);
SendClientMessage(playerid, COLOR_YELLOW,string);
GetPlayerName(playerid, namee, sizeof(namee));
GetPlayerIp(playerid, playerip, sizeof(playerip));
format(string,sizeof(string),"%s[user:%d] changed his password. IP: %s",namee,PlayerInfo[playerid][pSQLID],playerip);
ABroadCast(COLOR_YELLOW, string,1);
GetPlayerName(playerid,sendername,sizeof(sendername));
new str2[240];
mysql_format(SQL, str2, sizeof(str2), "UPDATE users SET `password`='%e' WHERE `name`='%s'",PlayerInfo[playerid][pKey], PlayerInfo[playerid][pNormalName]);
mysql_tquery(SQL,str2,"","");
return 1;
}
else
{
ShowPlayerDialog(playerid, DIALOG_NEWPASS,DIALOG_STYLE_INPUT, "Change password:","Type in box your new password:","Done","Close");
return 1;
}