[?] Risks of not using escapeSQLString( string )

Started by Sebastian, Jul 19, 2018, 08:05 AM

Previous topic - Next topic

Sebastian

Can somebody list all the risks of not using this function ? according to VC:MP.
I'm pretty sure this kind of topic will be helpful for much part of the comunity.

DizzasTeR

If its related to "escapeSQL" kind of functions then the biggest risk of not using is SQL injection, people can destroy, delete, manipulate your database in any way via sql injections and there's no way out of it.

.

#2
What plugin is this? Because we have two SQL related plugins. MySQL and SQLite. And I can't find it in neither of them.
.

DizzasTeR

#3
Well in that case its used when you retrieve data from database to clear it after you have used it, often used after 'SELECT' kind of queries where you want to clear the result to garbage data

:edit: My memory cuts short but this is what I think as I used SQLite plugin long ago :D

Sebastian

#4
SQLite

I've heard that, if somebody uses a name like ');DROP ALL TABLES, can ruin my server.
(because I'm not using escapeSQLString( name ))

But, if you gonna try use that name, you won't be able to, because vcmp will convert it to: _)_DROP.

Still, there are cases when I let players write down a message in the database.
=> so, as you said by not using escapeSQLString( their message ), they can drop my database by using a name like the one above I gave.

.

Hold on. What are we talking about here? Escaping query strings or freeing query results? Because those are two different things. There seems to be a ton of confusion in this topic as to what are we talking about.
.

Sebastian

Quote from: . on Jul 19, 2018, 11:53 AMThere seems to be a ton of confusion in this topic as to what are we talking about.

which I tried to clear when I bolded the correct function name in my last post.
Really sorry for that, for writting it wrong before. This shows how much I have been using this function :)

But from now on, I will use it, so there will be no harm taken by my database.

EK.IceFlake

Quote from: vitogta on Jul 19, 2018, 10:42 AM
Quote from: . on Jul 19, 2018, 10:01 AMWhat plugin is this? Because we have two SQL related plugins. MySQL and SQLite. And I can't find it in neither of them.
He should be asking about FreeSQLQuery of SQLite.
If you don't free your queries, every query will cause your server's memory usage to increase a little. After a while, you will run out of memory.