Anti SQL Injection, how it works on samp
#1

Hi I'm kinda new to this so I'm asking you people how can I protect my server from sql injections ? I do have a gamemode (just playing with it around) and saw some people talking about sql injections, so I began to get worried a bit

I looked over internet and saw a Injection in /changepass :
Код:
 ', playerMoney = '1' WHERE playerName = 'x' #
, I tried to do it on my server and didn't work, yay. My question is how can someone inject in your DB ? (commands, etc) and yet how do I protect it ? I don't want a tutorial tho, just for general knowledge.

Thank you !!
Reply
#2

With SQLIte use %q for strings in format(), with MySQL use %e for strings in mysql_format. That's sufficient. In other languages (e.g. PHP) use prepared queries.

Interactive demo: https://www.codebashing.com/sql_demo
Reply
#3

Yeah... figured out I have %s vulnerability and it crashes my server :S

mind helping me please? I added this below the last #include

I tried to add this static const antisqlinjection[][] = {
"'",
"#",
"`",
"%"
};


and this to public OnDialogResponse, right below public OnDialogResponse(playerid, dialogid, response, listitem, inputtext[])


for(new i; i < sizeof(antisqlinjection); i++)
{
if(strfind(inputtext, antisqlinjection[i], true) != -1)
{
SCM(playerid, COLOR_YELLOW, " There are also allowed characters.");
return 1;
}
}


I can make another thread if needed, but please help :S the compiler just crashes.
Reply
#4

mysql_real_escape_string or mysql_format with %e for user input strings.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)