AlliedModders - View Single Post

Dr.Mohammad · 08-09-2020 , 00:07 Re: [CSGO] Error Log

Quote:

Originally Posted by Fyren

If you don't know how to write SP, you should just find a different plugin because that one is insecure.

If you can or someone cares enough to fix it, it should not use plain Format/FormatEx to create SQL queries because that leads to SQL injection vulnerabilities.

this plugin best ban manager for server. but i have this problem

can you fix this?

PHP Code:


			
void DB_CreateBan(const char[] auth = "N/A", const char[] ip = "N/A", int time, BanType type, const char[] name = "N/A", int timestamp, const char[] reason = "N/A", const char[] adminAuth, const char[] adminName)

{

    Call_StartForward(g_hOnBanCreated_Pre);

    Call_PushString(auth);

    Call_PushString(ip);

    

    Action result;

    Call_Finish(result);

    

    if(result != Plugin_Handled)

    {

        DataPack data = new DataPack();

        data.WriteString(auth);

        data.WriteString(ip);

        data.WriteCell(time);

        data.WriteCell(type);

        data.WriteString(name);

        data.WriteCell(timestamp);

        data.WriteString(reason);

        data.WriteString(adminAuth);

        data.WriteString(adminName);

        

        char sQuery[500];

        FormatEx(sQuery, sizeof(sQuery), "INSERT INTO `%s` (`Auth`, `Ip`, `Time`, `Type`, `Name`, `Timestamp`, `Reason`, `AdminAuth`, `AdminName`) VALUES ('%s', '%s', '%d', '%d', '%s', '%d', '%s', '%s', '%s');", 

            DBName,

            auth,

            ip,

            time,

            type,

            name,

            timestamp,

            reason,

            adminAuth,

            adminName);

            

        g_hDB.Query(DB_CreateBan_Callback, sQuery, data);

    }

}



public void DB_CreateBan_Callback(Database db, DBResultSet results, const char[] error, DataPack data)

{

    if(results != null)

    {

        char sAuth[32], sIp[16], sName[MAX_NAME_LENGTH], sReason[MAX_REASON_LENGTH], sAdminAuth[32], sAdminName[MAX_NAME_LENGTH], sKey[16];

        

        data.Reset();

        data.ReadString(sAuth, sizeof(sAuth));

        data.ReadString(sIp, sizeof(sIp));

        int time = data.ReadCell();

        BanType type = data.ReadCell();

        data.ReadString(sName, sizeof(sName));

        int timestamp = data.ReadCell();

        data.ReadString(sReason, sizeof(sReason));

        data.ReadString(sAdminAuth, sizeof(sAdminAuth));

        data.ReadString(sAdminName, sizeof(sAdminName));

        

        any[] pack = new any[BanCache];

        

        FormatEx(pack[Auth], 32, "%s", sAuth);

        FormatEx(pack[Ip], 16, "%s", sIp);

        pack[Time] = time;

        pack[Type] = type;

        FormatEx(pack[Name], MAX_NAME_LENGTH, "%s", sName);

        pack[Timestamp] = timestamp;

        FormatEx(pack[Reason], MAX_REASON_LENGTH, "%s", sReason);

        FormatEx(pack[AdminAuth], 32, "%s", sAdminAuth);

        FormatEx(pack[AdminName], MAX_NAME_LENGTH, "%s", sAdminName);



        IntToString(g_hBanCache.Size, sKey, sizeof(sKey));

        g_hBanCache.SetArray(sKey, pack, view_as<int>(BanCache));

        

        Call_StartForward(g_hOnBanCreated_Post);

        Call_PushString(sAuth);

        Call_PushString(sIp);

        Call_Finish();

    }

    else

    {

        LogError("DB_CreateBan_Callback: %s", error);

    }

    

    delete data;

}

ty :X