can players exploit sourcemod with their name?
servercommand("sm_command %s",GetClientName(client))
if they make their name something like ;quit will it work like sm_command ; then quit the console? is it somehow possible for them to make their name like something like i mentioned above,if its possible which names are possible threat,(i am not sure but i saw something like ;/quit/ i cant exactly remember) how can i prevent them from doing that |
Re: can players exploit sourcemod with their name?
Yes, that's why you need to target them via User ID or Serial. Never target clients via their name in plugins.
PHP Code:
|
Re: can players exploit sourcemod with their name?
Quote:
and how can i make a plugin that says "{playernamer} Welcome !" if we cant directly use their name and does using printtochat bypasses that name expoit? |
Re: can players exploit sourcemod with their name?
I'm not very knowledgeable about code injection but I think sm_command is your only worry since it's executing a command without any filtering as far as I know, but stuff like PrintToChat and basically every other function doesn't work like that.
As for your specific worry though, %N is a formatting thing that puts someones name into the string provided a client index, i.e., PrintToChat(client, "%N Welcome to the server!", client); Hopefully someone with more indepth knowledge of sourcepawn can verify these things. |
Re: can players exploit sourcemod with their name?
It is safe to use SM's Print* functions. I know only two cases where you shouldn't use player name:
1) FakeClientCommand(Ex), ServerCommand() and ClientCommand() - use UserId instead (as said in #2). 2) SQL Queries - use Database.Format or Database.Escape to escape some symbols in player name. |
All times are GMT -4. The time now is 12:18. |
Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.