[README] SQL injection vulnerability to users

EK.IceFlake · Apr 11, 2015, 11:39 AM

Hi guys!
I am here to warn you: Do not use any function with SQL that takes a user input. Our servers are highly vulnerable to SQL injection. Let me give you an example:

Code Select

if (command == "carinfo")
{
    local q = QuerySQL("select * from cars where id=" + arguments);
    //...
}

Never ever use codes like that. What if some player (probably clever at hacking and SQL injection) typed this command?
/carinfo 0; drop table cars
Well, it will execute this query:
select * from cars where id=0; drop table cars
This will result in all cars being deleted
or he can write
/carinfo 0; update cars set owner='mee' where id=192
Which will result him stealing the car. So, use safety guards for example reject non numeric input or reject semicolons.

Thijn · Apr 11, 2015, 03:46 PM

There's a function called escapeSQLString that will escape user input.

[README] SQL injection vulnerability to users

EK.IceFlake

Thijn