Text only | Text with Images

Vice City: Multiplayer

Server Development => Scripting and Server Management => Topic started by: Sebastian on Jul 19, 2018, 08:05 AM

Title: [?] Risks of not using escapeSQLString( string )
Post by: Sebastian on Jul 19, 2018, 08:05 AM
Can somebody list all the risks of not using this function ? according to VC:MP.
I'm pretty sure this kind of topic will be helpful for much part of the comunity.
Title: Re: [?] Risks of not using FreeSQLString()
Post by: DizzasTeR on Jul 19, 2018, 09:19 AM
If its related to "escapeSQL" kind of functions then the biggest risk of not using is SQL injection, people can destroy, delete, manipulate your database in any way via sql injections and there's no way out of it.
Title: Re: [?] Risks of not using FreeSQLString()
Post by: . on Jul 19, 2018, 10:01 AM
What plugin is this? Because we have two SQL related plugins. MySQL and SQLite. And I can't find it in neither of them.
Title: Re: [?] Risks of not using FreeSQLString()
Post by: DizzasTeR on Jul 19, 2018, 11:01 AM
Well in that case its used when you retrieve data from database to clear it after you have used it, often used after 'SELECT' kind of queries where you want to clear the result to garbage data

:edit: My memory cuts short but this is what I think as I used SQLite plugin long ago :D
Title: Re: [?] Risks of not using FreeSQLString( string )
Post by: Sebastian on Jul 19, 2018, 11:26 AM
SQLite

I've heard that, if somebody uses a name like ');DROP ALL TABLES, can ruin my server.
(because I'm not using escapeSQLString( name ))

But, if you gonna try use that name, you won't be able to, because vcmp will convert it to: _)_DROP.

Still, there are cases when I let players write down a message in the database.
=> so, as you said by not using escapeSQLString( their message ), they can drop my database by using a name like the one above I gave.
Title: Re: [?] Risks of not using FreeSQLString( string )
Post by: . on Jul 19, 2018, 11:53 AM
Hold on. What are we talking about here? Escaping query strings or freeing query results? Because those are two different things. There seems to be a ton of confusion in this topic as to what are we talking about.
Title: Re: [?] Risks of not using FreeSQLString( string )
Post by: Sebastian on Jul 19, 2018, 11:58 AM
Quote from: . on Jul 19, 2018, 11:53 AMThere seems to be a ton of confusion in this topic as to what are we talking about.

which I tried to clear when I bolded the correct function name in my last post.
Really sorry for that, for writting it wrong before. This shows how much I have been using this function :)

But from now on, I will use it, so there will be no harm taken by my database.
Title: Re: [?] Risks of not using FreeSQLString()
Post by: EK.IceFlake on Jul 19, 2018, 01:21 PM
Quote from: vitogta on Jul 19, 2018, 10:42 AM
Quote from: . on Jul 19, 2018, 10:01 AMWhat plugin is this? Because we have two SQL related plugins. MySQL and SQLite. And I can't find it in neither of them.
He should be asking about FreeSQLQuery of SQLite.
If you don't free your queries, every query will cause your server's memory usage to increase a little. After a while, you will run out of memory.
Text only | Text with Images