Closed esauvisky closed 4 years ago
Issue with single quotes has been fixed on version 1.41 As I can tell, you pretty much forced the error by looking at all those zeros from server id
About the sql injection on bots in discord realms, theres no need to use alchemy: Its all about commands. If the message starts with !play, then isn't gonna kick anyone. The only exception to this would be an eval command. As in, commands that take a string and then execute that string as program code. Usually eval commands are restricted to certain people (like the mods), but if you found a bot that has a publicly usable eval command, then yeah, you could do make it do pretty much anything. But with other, regular commands? No way. If it's an open eval command that runs on the bot host itself without any environment trickery, yeah, that's a problem. But if it's just a command that passes stuff over to ideone or is restricted to only the bot owner there shouldn't be any harm.
If you want to know more about discord bots i can recommend some reading: https://discordpy.readthedocs.io/en/rewrite/api.html https://github.com/Rapptz
If the server name contains single quotes, the bot fails while trying to insert the entry for the server into the recently created db. This happens both with sqlite3 and postgresql.
In
servers_sql.py:18-31
:I didn't look yet at the other files, but if lack of sanitization as above is a common standard over the queries, it might need attention as this potentially creates an attack vector for SQL injection, particularly if there's any user input that gets sent to the db straightaway.