AlliedModders

AlliedModders (https://forums.alliedmods.net/index.php)
-   Scripting Help (https://forums.alliedmods.net/forumdisplay.php?f=11)
-   -   Is MySQL Query safe enough?! (https://forums.alliedmods.net/showthread.php?t=92451)

V I R U S 05-15-2009 11:53

Is MySQL Query safe enough?!
 
I was thinking on some plugins here, and some i wrote for myself... Some nicknames in CS/HL can act like SQL Injection, or release some errors...

So, is that really safe to user SQL database statistics and other? As i see, in AMX is no function like "mysql_escape_string" or others.

Mby there are other ways or AMX is just do that somehow in background?!!

kib0rg 05-15-2009 13:10

Re: Is MySQL Query safe enough?!
 
Safe, just use:
Code:

replace_all(str, 31, "`", "\`");
replace_all(str, 31, "'", "\'");

to prevent sql-inj.

joaquimandrade 05-15-2009 14:08

Re: Is MySQL Query safe enough?!
 
In a nick you can't have a " so you can do this instead:

PHP Code:

"SELECT * FROM someTable WHERE nick =^"%s^" " 

I can't confirm it works but i guess so.

Spunky 05-16-2009 07:23

Re: Is MySQL Query safe enough?!
 
Actually:

Code:

SELECT * FROM someTable WHERE nick = '%s'
Single quote, not double, so you're fine.

joaquimandrade 05-16-2009 13:53

Re: Is MySQL Query safe enough?!
 
Quote:

Originally Posted by Spunky (Post 828471)
Actually:

Code:

SELECT * FROM someTable WHERE nick = '%s'
Single quote, not double, so you're fine.

No because you can have single quotes in nicknames.


All times are GMT -4. The time now is 01:26.

Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.