SQL injection

FiveM Resource Development & Modding Discussion
, ,
1

How to block sql injection?

2

write better code.

3

Don’t concatenate your query but rather use placeholders for filling in values.

Example (using oxmysql):

local username = "admin"

-- BAD
local adminPassword = MySQL.scalar.await('SELECT `password` FROM `users` WHERE `username` = ' .. username .. ' LIMIT 1')
-- people could just enter "admin OR 1=1 " as username to fetch the admins password

-- BETTER!
local adminPassword = MySQL.scalar.await('SELECT `password` FROM `users` WHERE `username` = ? LIMIT 1', {
    username, --[[ param2, param3, etc. ]]--
})
-- oxmysql / mysql-async should now automatically sanitize everything and treat it like real values
-- no more SQL injection :-)

this was written in a hurry so if you didn’t understand it or still have questions / think I have done a mistake please feel free to message me

5 Likes