[aron9forever]

Is the equivalent of

PHP Code:

$sql = 'SELECT * FROM `users` WHERE `username`=?';
     
    /* Prepare statement */
    $stmt = $conn->prepare($sql);
    if($stmt === false) {
      trigger_error('Wrong SQL: ' . $sql . ' Error: ' . $conn->errno . ' ' . $conn->error, E_USER_ERROR);
    }

     
    /* Bind parameters. Types: s = string, i = integer, d = double,  b = blob */
    $stmt->bind_param('s', $player);
     
    /* Execute statement */
    $stmt->execute();

    $res = $stmt->get_result();
    $row = $res->fetch_assoc(); 


possible in amxmodx? I'm building a website - server link and I can't have people registering on the site with query breaking names(or even worse, injections), then logging in ingame and mess things up
This be my current auth

Code:

public client_connect(id)
    {
    new nume[32], szTemp[512]
    get_user_name(id, nume, 31)

    new Data[1]
    Data[0] = id

    format(szTemp,charsmax(szTemp),"SELECT `password`,`admlevel` FROM `accounts` WHERE (`auth` = '%s')", nume)
    SQL_ThreadQuery(g_SqlTuple,"register_client",szTemp,Data,1)
}

public register_client(FailState,Handle:Query,Error[],Errcode,Data[],DataSize)
{
    if(FailState == TQUERY_CONNECT_FAILED)
    {
        log_amx("Load - Could not connect to SQL database.  [%d] %s", Errcode, Error)
    }
    else if(FailState == TQUERY_QUERY_FAILED)
    {
        log_amx("Load Query failed. [%d] %s", Errcode, Error)
    }

    new id
    id = Data[0]

    if(SQL_NumResults(Query) < 1)
    {
        show_menu(id,0)
    }
    else
    {
        SQL_ReadResult(Query, 0, password, 31)
        admlevel = SQL_ReadResult(Query, 1)
        get_user_info(id, "_r", savedpassword, 31)
        if(equal(password,savedpassword))
        {
            flagbits = read_flags ( admranks[admlevel] )
            set_user_flags(id, flagbits)
        }
        else
        {
            show_menu(id,1)
        }
    }
    SQL_FreeHandle(Query)
    return PLUGIN_HANDLED
}

I really don't want to get to character filtering

[GordonFreeman (RU)]

You can use this function from AMXBans:

Code:

/*********    mysql escape functions     ************/
mysql_escape_string(dest[],len)
{
    //copy(dest, len, source);
    replace_all(dest,len,"\\","\\\\");
    replace_all(dest,len,"\0","\\0");
    replace_all(dest,len,"\n","\\n");
    replace_all(dest,len,"\r","\\r");
    replace_all(dest,len,"\x1a","\Z");
    replace_all(dest,len,"'","\'");
    replace_all(dest,len,"^"","\^"");
}

This will make string safe for sql query. Don't forget about buffer size. You need *3 buffer size for filtred string.

[aron9forever]

Quote:

Originally Posted by GordonFreeman (RU) You can use this function from AMXBans: Code: /*********    mysql escape functions     ************/ mysql_escape_string(dest[],len) {     //copy(dest, len, source);     replace_all(dest,len,"\\","\\\\");     replace_all(dest,len,"\0","\\0");     replace_all(dest,len,"\n","\\n");     replace_all(dest,len,"\r","\\r");     replace_all(dest,len,"\x1a","\Z");     replace_all(dest,len,"'","\'");     replace_all(dest,len,"^"","\^""); } This will make string safe for sql query. Don't forget about buffer size. You need *3 buffer size for filtred string.

so by adding \ to mark it as a literal string im safe?
i doubt it mon

[GordonFreeman (RU)]

Learn about SQL injections and SQL syntax.
For example, some l33th4x0r enter hisqlinject');DROP TABLE `accounts`;, your plugin will query following:
SELECT `password`,`admlevel` FROM `accounts` WHERE (`auth` = 'hisqlinject');
DROP TABLE `accounts`;
');

[aron9forever]

Quote:

Originally Posted by GordonFreeman (RU) Learn about SQL injections and SQL syntax. For example, some l33th4x0r enter hisqlinject');DROP TABLE `accounts`;, your plugin will query following: SELECT `password`,`admlevel` FROM `accounts` WHERE (`auth` = 'hisqlinject'); DROP TABLE `accounts`; ');

and how exactly would your function filter this? you don't need `` to define a table

[YamiKaitou]

Quote:

Originally Posted by aron9forever and how exactly would your function filter this? you don't need `` to define a table

Because your query will then look like this (and it will not drop the table) and will most likely cause an error.

Code:

SELECT `password`,`admlevel` FROM `accounts` WHERE (`auth` = 'hisqlinject\');DROP TABLE `accounts`;');

It will basically search for "hisqlinject\');DROP TABLE `accounts`;" as the value of auth.


If you are trying to prevent SQLInjections, please learn how they are performed first.



But to address your original question, no you cannot use Prepared Statements with SQLx

[aron9forever]

Quote:

Originally Posted by YamiKaitou If you are trying to prevent SQLInjections, please learn how they are performed first

leading people on the right path since 2006

but seriously, I didn't know you can real escape strings in a mysql syntax, im sorry
that will have to work I guess

[aron9forever]

I'm back, forgot about this crap.
The above function doesn't seem to work(but I'm just probably using it wrong)

Here's the implementation

PHP Code:

format(szTemp,charsmax(szTemp),"UPDATE `orewest` SET minutes='%d' WHERE `auth` = '%s';",iMinutes[id], mysql_escape_string(nume,charsmax(nume))) 


[Arkshine]

mysql_escape_string() doesn't return a string...

Call it before, and use "nume" in format().

[Lycode]

Quote:

Originally Posted by GordonFreeman (RU) You can use this function from AMXBans: Don't forget about buffer size. You need *3 buffer size for filtred string.

Can you elaborate on that? What do you mean by "3 times buffer size"?