AlliedModders

AlliedModders (https://forums.alliedmods.net/index.php)
-   Scripting Help (https://forums.alliedmods.net/forumdisplay.php?f=11)
-   -   Secure SQL Query (https://forums.alliedmods.net/showthread.php?t=76945)

AbeXito 09-02-2008 13:14

Secure SQL Query
 
Hi There.

I'm writing my own real-time statistics for CS. I need to insert player name in database, so I'm doing this:
PHP Code:

format(sql_query,511,"SELECT * FROM `stats` WHERE `nick`='%s';"name)    
    new 
Handle:Query SQL_PrepareQuery(SqlConnection,sql_query)    
    if(!
SQL_Execute(Query))    {
        
SQL_QueryError(Query,g_Error,511)
        
server_print("* SQL Error: %s",g_Error)    
    }    
    if (
SQL_NumResults(Query) == 0) {    
        
format(sql_query,511,"INSERT `stats` (`nick`) VALUES ('%s');",name)        
        new 
Handle:Query2 SQL_PrepareQuery(SqlConnection,sql_query)    
        if(!
SQL_Execute(Query2))    {
            
SQL_QueryError(Query2,g_Error,511)
            
server_print("* SQL Error: %s",g_Error)
        }
        
SQL_FreeHandle(Query2)
    }
    
SQL_FreeHandle(Query

But if in player nick there are some special chars like " or ' or ` - query will fail and server can be hacked.

Replacing these chars to "_" or something is not good idea, because I need to store in DB real nickname. Also I can replace these symbols to {qout} {dblqout} {otherquot} and restore them.

Is there another way to insert in database " ' ` ?

My idea:
PHP Code:

replace(nick32"'""\'")
replace(nick32"`""\`")
replace(nick32"^"", "[slash here]^""

Will it works fine? Any suggestions?

danielkza 09-02-2008 13:42

Re: Secure SQL Query
 
http://www.amxmodx.org/funcwiki.php?go=func&id=1182

AbeXito 09-02-2008 13:49

Re: Secure SQL Query
 
Thanks, danielkza


All times are GMT -4. The time now is 03:15.

Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.