Hi ppl,
I have one MySQL query:
Code:
format(CheckQuery, 254, "SELECT `id` FROM `users` WHERE `nick`='%s' AND `password`='%s'", user_name,password)
It contains user's name, and it can be SQL injection's result. How can i prevent it ? If i set my name to "; 'OR 'x'='x", my server's console says:
Code:
01/08/2009 - 21:39:45: [AMXX] Plugin ("sql_vip.amxx") is setting itself as failed.
L 01/08/2009 - 21:39:45: [AMXX] Plugin says: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'x'='x' AND `password`='lopas'' at line 1
L 01/08/2009 - 21:39:45: [AMXX] Run time error 1 (plugin "sql_vip.amxx") - forced exit
Ignoring custom decal from ; OR 'x'='x
L 01/08/2009 - 21:39:45: "; OR 'x'='x<1><STEAM_ID_PENDING><>" entered the game