We have updated the Poggit plugin rules, and your plugin Prisons appears to be affected.
The new rule is as follows:
B8: SQL parameters must be escaped
Data must NEVER be interpolated into SQL strings using interpolation, unless they are explicitly escaped using the mysqli::escape_string/SQLite3::escapeString function. No exceptions even if you are sure they are integers, player names or validated otherwise. Using libasynql or using bind_param()/bindValue() would be even better.
We detected the following line of code (and probably others) from your plugin that seems to breach the rule:
$query = $this->db->query("SELECT * FROM players WHERE username ='{$player}';");
You are required to update the code to conform to the rules in 14 days. Otherwise, your plugin may be removed from Poggit and a security advisory will be issued to recommend users to remove your plugin.
A simple fix is to use SQLite3::escapeString or mysqli::real_escape_string to escape your data, but we recommend that you use SQLite3::prepare() and bindValue or mysqli::prepare() and bind_param instead. Even better, we recommend that you migrate to libasynql, although this is not a strict requirement. (But async database access may become a strict requirement in the future).
Shall you have any enquiries, please post your question on the #poggit channel on the PMMP Community Discord.
Dear plugin developer,
We have updated the Poggit plugin rules, and your plugin Prisons appears to be affected.
The new rule is as follows:
We detected the following line of code (and probably others) from your plugin that seems to breach the rule:
You are required to update the code to conform to the rules in 14 days. Otherwise, your plugin may be removed from Poggit and a security advisory will be issued to recommend users to remove your plugin.
A simple fix is to use
SQLite3::escapeString
ormysqli::real_escape_string
to escape your data, but we recommend that you useSQLite3::prepare()
andbindValue
ormysqli::prepare()
andbind_param
instead. Even better, we recommend that you migrate to libasynql, although this is not a strict requirement. (But async database access may become a strict requirement in the future).Shall you have any enquiries, please post your question on the
#poggit
channel on the PMMP Community Discord.Best regards, SOFe Poggit Team