« [Release] Report System
[Release] Anik's Registration system ( GUI - 04rel004 )

Mohamed

  • Full Member
  • Regards, We3da
  • Posts: 247
[Release] Re: Anik's Registration system ( GUI - 04rel004 )
« Reply #45,  »
Quote from Xmair on November 2nd, 2017, 09:09 AM
Quote from [MCO]We3da on November 2nd, 2017, 07:11 AM
Quote from [MCO]We3da on November 1st, 2017, 08:12 PM
Quote from Shadow on November 1st, 2017, 04:04 PM
I find it admirable that you thought of escaping the strings before doing the select query but you should've also escaped the name in the update query. Otherwise, BAD things can happen...
I never Never  Never Never Never Never  Understand Anithingggggggggggggggggggggggggggg
Please @Xmair Give me Example Bro :(
Imagine you have a command /gotoloc which executes the following query:
"SELECT XYZ FROM Locations WHERE Name = '" + locationName + "'"
where locationName is a string input by the user in the gotoloc command. Imagine there's a bad guy who uses /gotoloc '; DROP TABLE Accounts; instead of a location, this'll get executed:
"SELECT XYZ FROM Locations WHERE Name = ''; DROP TABLE Accounts;"
This'll ultimately execute both of the queries as there is a semicolon right after the SELECT query. To avoid this, you use mysql_escape in mySQL and escapeSQLString in SQLite.
You must be using SQLite so I'm going to put on an example in which can be used by the default SQLite plugin for VCMP.
Instead of:
QuerySQL( database, "SELECT XYZ FROM Locations WHERE Name = '" + locationName + "'" );
Use:
QuerySQL( database, "SELECT XYZ FROM Locations WHERE Name = '" + escapeSQLString( locationName ) + "'" );
Simple, isn't it? I've tried my best to explain it as easy as I could, if you still don't get it, meh.
@Xmair You Are Besstteeee ONe Help Me im Happyyyyyy And im Learned Now.
Thanks for helping my friend :D
Feel Free To PM Me For Any Support, I'm Care.
Anyway u can Contact Me Ingame!
Ingame Name: [AFt]We3da^
My Own Server: ViceEvil Server

=RK=MarineForce

  • Sr. Member
  • WAR IS HELL!
  • Posts: 428
Try to UnderStand ME!

!

  • Sr. Member
  • Don't feel shy while zooming on h*r... >>zeus#5155
  • Posts: 380

Discord: zeus#5155

=RK=MarineForce

  • Sr. Member
  • WAR IS HELL!
  • Posts: 428
Try to UnderStand ME!

Ali Ahmed

  • Full Member
  • Why so rude,be more rude
  • Posts: 103
Need some Help pm me.Wanna see my server the name is Pakistan Theft Auto Reloaded

!

  • Sr. Member
  • Don't feel shy while zooming on h*r... >>zeus#5155
  • Posts: 380

Discord: zeus#5155

=RK=MarineForce

  • Sr. Member
  • WAR IS HELL!
  • Posts: 428
Try to UnderStand ME!

ForOver

  • Newbie
  • Posts: 48

[KM]Helathien

  • Newbie
  • Posts: 21
Feel free to PM me for any help.
If I am not available on the forum come to VKs Official Server I am usually there.

Mohamed

  • Full Member
  • Regards, We3da
  • Posts: 247
Feel Free To PM Me For Any Support, I'm Care.
Anyway u can Contact Me Ingame!
Ingame Name: [AFt]We3da^
My Own Server: ViceEvil Server