Why is data willingly being passed to the client without any security checks at all? These queries could contain quite sensitive content and you most certainly wouldn't want your clients to be able to read the queries at all.
IMO: You shouldn't even be permitted to open the NUI graph stuff without explicit permission. You've added the register_command on the client, with specifying a restricted boolean, however, this doesn't exactly work on the client and won't be properly checking if the command.x ace is allowed.
Nonetheless, such data should not be passed to the client for any reason at all.
Why is data willingly being passed to the client without any security checks at all? These queries could contain quite sensitive content and you most certainly wouldn't want your clients to be able to read the queries at all.
IMO: You shouldn't even be permitted to open the NUI graph stuff without explicit permission. You've added the register_command on the client, with specifying a
restrictedboolean, however, this doesn't exactly work on the client and won't be properly checking if thecommand.xace is allowed.Nonetheless, such data should not be passed to the client for any reason at all.
https://github.com/brouznouf/fivem-mysql-async/blob/c5fa317a65acfe2eef453257e19e3b4fde137089/src/entry/server.ts#L96-L101 https://github.com/brouznouf/fivem-mysql-async/blob/c5fa317a65acfe2eef453257e19e3b4fde137089/src/entry/server.ts#L103-L115