SQL Injection

p3dro.sola · Post by **p3dro.sola** » 10 Sep 2010, 01:52

Hi, i was wondering what sort of protection (if any) smartfox server has against sql injection attacks on serverside extentions.

For example, let's say i have a function in a serverside extentsion that logs moves from a game to a MySQL database. So everytime a player makes a move this code gets run (Actionscript)

Code: Select all

dbase.executeCommand("UPDATE table SET log = CONCAT(log, '"+params.log+"') WHERE match_id = '"+params.match_id+"';");

That will work fine, however if a user were to modify the parameters being sent to SFS then they would be able to perform an SQL Injection.

What would solve this is the equivalent of mysql_real_escape_string() in PHP.

Any ideas?

BigFIsh · Post by **BigFIsh** » 10 Sep 2010, 04:02

_server.escapeQuotes(...)