Remake of PC plugin : Core Protect but it is for PocketMine edition (The project is dead, please check out https://github.com/matcracker/BedcoreProtect instead)
GNU General Public License v3.0
6
stars
2
forks
source link
Enforcement of new Poggit rule against SQL injection #12
We have updated the Poggit plugin rules, and your plugin WhatTheServer appears to be affected.
The new rule is as follows:
B8: SQL parameters must be escaped
Data must NEVER be interpolated into SQL strings using interpolation, unless they are explicitly escaped using the mysqli::escape_string/SQLite3::escapeString function. No exceptions even if you are sure they are integers, player names or validated otherwise. Using libasynql or using bind_param()/bindValue() would be even better.
We detected the following line of code from your plugin that seems to breach the rule:
$query = $this->getDatabase()->prepare("SELECT * FROM PlayerLog WHERE player='$name' ");
You are required to update the code to conform to the rules in 14 days. Otherwise, your plugin may be removed from Poggit and a security advisory will be issued to recommend users to remove your plugin.
A simple fix is to use SQLite3::escapeString or mysqli::real_escape_string to escape your data, but we recommend that you use SQLite3::prepare() and bindValue or mysqli::prepare() and bind_param instead. Even better, we recommend that you migrate to libasynql, although this is not a strict requirement. (But async database access may become a strict requirement in the future).
Shall you have any enquiries, please post your question on the #poggit channel on the PMMP Community Discord.
Dear plugin developer,
We have updated the Poggit plugin rules, and your plugin WhatTheServer appears to be affected.
The new rule is as follows:
We detected the following line of code from your plugin that seems to breach the rule:
You are required to update the code to conform to the rules in 14 days. Otherwise, your plugin may be removed from Poggit and a security advisory will be issued to recommend users to remove your plugin.
A simple fix is to use
SQLite3::escapeStringormysqli::real_escape_stringto escape your data, but we recommend that you useSQLite3::prepare()andbindValueormysqli::prepare()andbind_paraminstead. Even better, we recommend that you migrate to libasynql, although this is not a strict requirement. (But async database access may become a strict requirement in the future).Shall you have any enquiries, please post your question on the
#poggitchannel on the PMMP Community Discord.Best regards, SOFe Poggit Team