SQL Injection

[ays297]

is it possible for this part of this script to get an SQL injection?

input @upper_hg$;
if(query_sql("SELECT `view` from `item_db` where `equip_locations` = 256 and `id` ='"+@upper_hg$+"'") == 0)
{ mes "No headgear was found";
close; }
else {
query_sql "SELECT `view` from `item_db` where `equip_locations` = 256 and `id` ='"+@upper_hg$+"'", ouchoice;
query_sql "SELECT `name_japanese` from `item_db` where `equip_locations` = 256 and `view` ='"+ouchoice+"'", UFS$;

[Emistry]

isnt that you can simply get the view id here ?

getiteminfo( <itemID>,14 )

[AnnieRuru]

yeah its possible

its only impossible to get sql injection IF ...

1. input .@string_var$; query_sql ".... where data = '"+ escape_sql(.@string_var$) +"'";

2. input .@int_var; query_sql ".... where data = "+ .@int_var;

all other methods can get sql injection

[ays297]

Oh, then by just using 2. my script will be good right? Like safe from SQL Injection? And, yeah, I think I should do that because the script is not really asking for a string right?

[AnnieRuru]

prontera,154,183,5	script	headgear finder	100,{
mes "input a headgear item_id";
next;
input .@upper_headgear; // try 2220
if ( !( .@nb = query_sql("select id, name_japanese from item_db where equip_locations & 256 and view = ( select view from item_db where equip_locations & 256 and id = "+ .@upper_headgear +" )", .@item_id, .@item_name$ ) ) ) {
	mes "no headgear was found";
	close;
}
mes "these are the items that has same view_id when you input that item_id";
next;
for ( .@i = 0; .@i < .@nb; .@i++ )
	.@menu$ = .@menu$ + .@item_name$[.@i] +":";
.@pick = select( .@menu$ ) -1;
mes "you chose "+ .@item_name$[ .@pick ];
getitem .@item_id[ .@pick ], 1;
close;
}

well better don't complicated the topic, so just do something like this

if your input only ask in numeric value, then use input .@numeric_var <-- without the '$' at the end

then the user will find it hard to inject your script because the input can only accept numbers

and yes, your script at 1st post is possible to get SQL injection ...

but I dunno what command should I input to inject that script ... lol

because you run query_sql 3 times with different functions ...

Edited November 13, 2012 by AnnieRuru

[ays297]

oh, thanks a lot. forget about that, it's fine as long as the server is safe.

Anyway, can you tell me how to do a simple sql query via the npc I made? I wanna try it first.