Login

~~YouHack~~ · 14.01.2017, 12:00

Does anyone knows the anti sql injectin script?

Armand25 · 14.01.2017, 12:15

static const antisqlinjection[][] = {
"'",
"#",
"`",
"%"
};

to public OnDialogResponse put this:

for(new i; i < sizeof(antisqlinjection); i++)
{
if(strfind(inputtext, antisqlinjection[i], true) != -1)
{
SCM(playerid, COLOR_YELLOW, " There are also allowed characters.");
return 1;
}
}

~~BiosMarcel~~ · 14.01.2017, 12:19

Quote:

Originally Posted by Armand25

static const antisqlinjection[][] = {
"'",
"#",
"`",
"%"
};

to public OnDialogResponse put this:

for(new i; i < sizeof(antisqlinjection); i++)
{
if(strfind(inputtext, antisqlinjection[i], true) != -1)
{
SCM(playerid, COLOR_YELLOW, " There are also allowed characters.");
return 1;
}
}

IMHO that's stupid as hell.

Escape the SQL query instead, if you are using MySQL R40+ you can use this: https://sampwiki.blast.hk/wiki/MySQL/R40#mysql_format

~~YouHack~~ · 14.01.2017, 12:33

Using R39

~~BiosMarcel~~ · 14.01.2017, 12:39

Quote:

Originally Posted by YouHack

Using R39

That version also has the mysql_format function and it also has the mysql_escape_string function.

Sorry, i should have mentioned that

~~YouHack~~ · 14.01.2017, 12:48

if my script was fully using mysql_format, i don't need to worry about injection right?

X337 · 14.01.2017, 12:50

Wrong, even you are using mysql_format. That still can be injected if you didn't escape any strings.

~~BiosMarcel~~ · 14.01.2017, 12:51

Quote:

Originally Posted by X337

Wrong, even you are using mysql_format. That still can be injected if you didn't escape any strings.

Yeah i should have mentioned that, but i thought he should notice that when reading the format specifiers

PeanutButter · 14.01.2017, 14:39

According to SA-MP Wiki (mysql_format)

Код:

%e	Escapes data directly without the need to call mysql_escape_string() before.

Login
Username:
Password:	Lost Password?
	Remember me