- 0
Problema sql
-
Similar Content
-
- 2 answers
- 614 views
-
Problema turf
By Soryn.,
- 3 answers
- 402 views
-
- 0 replies
- 142 views
-
- 2 replies
- 331 views
-
- 1 reply
- 203 views
-
-
Recently Browsing 0 members
- No registered users viewing this page.
Question
wifi123
Nick: wifi123
Problema:Salut SA:MP.ro am si eu o problema cu baza de date sql , recent am primit sql injection de la cineva si mi-a sters toate conturile de pe server , am incercat sa bag protectie anti sql injection cu dar in zadar ,
Erori / warnings:-
Lini/script: Mai jos
Ai incercat sa rezolvi singur ?:Da , dar in zadar
Acest cod l-am bagat in gm cu gandul ca ma v-a proteja dar nimic...
[pawn]stock DB_Escape(text[])
{
new
ret[MAX_INI_ENTRY_TEXT * 2],
ch,
i,
j;
while ((ch = text[i++]) && j < sizeof (ret))
{
if (ch == '\'')
{
if (j < sizeof (ret) - 2)
{
ret[j++] = '\'';
ret[j++] = '\'';
}
}
else if (j < sizeof (ret))
{
ret[j++] = ch;
}
else
{
j++;
}
}
ret[sizeof (ret) - 1] = '\0';
return ret;
}[/pawn]
De exemplu , am aceste lini
[pawn]stock ShowTop(playerid, stats[], what[], limit = MAX_TOP_LIMIT)
{
//--------------------------------------------------------------------------
new Speed = GetTickCount(), DialString[3_000], String[2][128],
Query[2][256], DBResult:Result1, DB:g_dbKeptAlive, what2[30];
g_dbKeptAlive = db_open("Accounts.db");
//--------------------------------------------------------------------------
format(Query[0], 256, "SELECT `name` FROM `users` ORDER BY `%s` *1 DESC limit %d", stats, limit);
Result1 = db_query(g_dbKeptAlive, Query[0]);
//--------------------------------------------------------------------------
if(!strcmp(what, "Kills")) what2 = "Kills";
else if(!strcmp(what, "Hours")) what2 = "Hours";
else if(!strcmp(what, "SPoints")) what2 = "Stunt Points";
else if(!strcmp(what, "DriftP")) what2 = "Drift Points";
else if(!strcmp(what, "RaceP")) what2 = "Race Points";
//--------------------------------------------------------------------------
format(DialString, sizeof DialString, "", what2);
for(new Qr; Qr < db_num_rows(Result1); Qr++)
{
db_get_field(Result1, 0, String[0], 128);
format(Query[1], 256, "SELECT `%s` FROM `users` WHERE `Name` = '%s'", stats, String[0]);
new DBResult:Result2 = db_query(g_dbKeptAlive, Query[1]);
db_get_field(Result2, 0, String[1], 128);
//----------------------------------------------------------------------
if(!strcmp(stats, "Kills")) format(DialString, sizeof DialString,
"%s\n{00FF00}%d. {CCCCCC}%s: {FF0000}%s Kills", DialString, Qr+1, String[0], String[1]/*FormatNumber(strval(String[1]))*/);
//----------------------------------------------------------------------
else if(!strcmp(stats, "Hours")) format(DialString, sizeof DialString,
"%s\n{00FF00}%d. {CCCCCC}%s: {FF0000}%s Hours", DialString, Qr+1, String[0], String[1]/*FormatNumber(strval(String[1]))*/);
//----------------------------------------------------------------------
else if(!strcmp(stats, "SPoints")) format(DialString, sizeof DialString,
"%s\n{00FF00}%d. {CCCCCC}%s: {FF0000}%s Stunt Points", DialString, Qr+1, String[0], String[1]/*FormatNumber(strval(String[1]))*/);
//----------------------------------------------------------------------
else if(!strcmp(stats, "DriftP")) format(DialString, sizeof DialString,
"%s\n{00FF00}%d. {CCCCCC}%s: {FF0000}%s Drift Points", DialString, Qr+1, String[0], String[1]/*FormatNumber(strval(String[1]))*/);
//----------------------------------------------------------------------
else if(!strcmp(stats, "RaceP")) format(DialString, sizeof DialString,
"%s\n{00FF00}%d. {CCCCCC}%s: {FF0000}%s Race Points", DialString, Qr+1, String[0], String[1]/*FormatNumber(strval(String[1]))*/);
//----------------------------------------------------------------------
db_next_row(Result1);
db_free_result(Result2);
}
db_free_result(Result1);
db_close(g_dbKeptAlive);
format(DialString, sizeof DialString, "%s\n\n{CCFF66}The players with most points will apear here!\n{CCFF66}It is a honor to apear here!", DialString, GetTickCount() - Speed);
ShowPlayerDialog( playerid, 123, DIALOG_STYLE_MSGBOX, "{CCFF66}Top 10 players, DialString, "Close", "");
return 1;
}[/pawn]
cum pot face sa fie protejat de sql injection ?
Link to comment
Share on other sites
4 answers to this question
Recommended Posts