Posts: 293
Threads: 20
Joined: Jan 2017
Does anyone knows the anti sql injectin script?
Posts: 4
Threads: 1
Joined: Oct 2013
Reputation:
0
static const antisqlinjection[][] = {
"'",
"#",
"`",
"%"
};
to public OnDialogResponse put this:
for(new i; i < sizeof(antisqlinjection); i++)
{
if(strfind(inputtext, antisqlinjection[i], true) != -1)
{
SCM(playerid, COLOR_YELLOW, " There are also allowed characters.");
return 1;
}
}
Posts: 1,219
Threads: 51
Joined: Jul 2012
Quote:
Originally Posted by Armand25
static const antisqlinjection[][] = {
"'",
"#",
"`",
"%"
};
to public OnDialogResponse put this:
for(new i; i < sizeof(antisqlinjection); i++)
{
if(strfind(inputtext, antisqlinjection[i], true) != -1)
{
SCM(playerid, COLOR_YELLOW, " There are also allowed characters.");
return 1;
}
}
|
IMHO that's stupid as hell.
Escape the SQL query instead, if you are using MySQL R40+ you can use this:
https://sampwiki.blast.hk/wiki/MySQL/R40#mysql_format
Posts: 293
Threads: 20
Joined: Jan 2017
Posts: 1,219
Threads: 51
Joined: Jul 2012
Quote:
Originally Posted by YouHack
Using R39
|
That version also has the mysql_format function and it also has the mysql_escape_string function.
Sorry, i should have mentioned that
Posts: 293
Threads: 20
Joined: Jan 2017
if my script was fully using mysql_format, i don't need to worry about injection right?
Posts: 872
Threads: 25
Joined: Sep 2014
Reputation:
0
Wrong, even you are using mysql_format. That still can be injected if you didn't escape any strings.
Posts: 1,219
Threads: 51
Joined: Jul 2012
Quote:
Originally Posted by X337
Wrong, even you are using mysql_format. That still can be injected if you didn't escape any strings.
|
Yeah i should have mentioned that, but i thought he should notice that when reading the format specifiers