... things, but aren't the helper methods like executeQuery() dangerous for SQL injection attacks? If so, then should they really be provided - of course they are perhaps aimed at newbies but on the other hand those are the kind of people who are not going to be aware of the risks so my question is ...

Yeah but the people who know how to do that are the ones who know the dangers of not doing it
SQL injection-proofing isn't common sense in my view, otherwise it wouldn't be such an endemic problem!

A note in the javadoc would still be worthwhile IMO but I'll not argue it any further

... bad characters from the messages sent from the client covers most of the SQL injection scenarios.

If you prefer to use Prepared Statements, you can easily get the JDBC connection trough the DBManager.getConnection() method, which will give you direct access to the JDBC framework. Don't forget to ...

... things, but aren't the helper methods like executeQuery() dangerous for SQL injection attacks? If so, then should they really be provided - of course they are perhaps aimed at newbies but on the other hand those are the kind of people who are not going to be aware of the risks so my question is ...

It's not a good idea to send the error message to the client - it just opens a door for sql injection / hack. So that's why the error is only logged in your logs.

... wondering what sort of protection (if any) smartfox server has against sql injection attacks on serverside extentions.

For example, let's say i have a function in a serverside extentsion that logs moves from a game to a MySQL database. So everytime a player makes a move this code gets run ...

Is using the escapedquotes function enough? Does that cover all scenarios?

Hey! How do you stop SQL injection? In php the code is:

... Could not retrieve a database connection: org.apache.commons.dbcp.SQLNestedException: Cannot get a connection, pool exhausted
jvm 1 | org ... I am also doing, because I wanted to use PreparedStatements to avoid injection attacks. All I have to do to trigger this problem is try to login with ...

... user submitted variables on the server side, so that I'm protected from SQL injection?

For example, I want to do this but it's clearly not safe:

var sql = "select * from users where userName='" + nick + "' and password='" + pass + "'";

Normally I'd use an escaping function (in .net, coldfusion ...