Possible SQL Injection via query_sql?

[DarkIrata]

Hello,

Is it possible to make a SQL Injection on a NPC where you cant put text?

(The text will checked in a sql table)

I tryed it few times without a success, but i think its still better if i ask before i use it ^^

Sry if there already a topic about it, nothing found so fast :/

[EvilPuncker]

---------------------------------------

*escape_sql(<value>)

Converts the value to a string and escapes special characters so that it is safe to use in query_sql().

Returns the escaped form of the given value.

Example 1:

set .@str$, "John's Laptop";

set .@esc_str$, escape_sql(.@name$); // Escaped string: John\'s Laptop

---------------------------------------

[DarkIrata]

Ahh thank you, good thats i asked ^-^

[plankt]

It's next to impossible to inject if they do not get to insert text.

A possibility could exist depending on where it gathers it's information; like the name of character or a party name which could lead to an injection.

[DarkIrata]

The problem is, i need to make a input. I know thats without thats, it would be impossible... (i can a little bit php)

[Toshiro]

The problem is, i need to make a input. I know thats without thats, it would be impossible... (i can a little bit php)

There is no problem if you pass the input through escape_sql, it's completely safe then.

input .@input$;
query_sql("SELECT `char_id` FROM `login` WHERE `name` =  '"+escape_sql(.@input$)+"' LIMIT 1", .@charid);