This PR fixes some SQL injection exploits and changes some \"%s\" to '%s' as it is both the safest way to enter values and a convention.
Injection exploits were able to be done in:
The store_plugin_logs table (by anyone using their name)
The store_players table (by mods with access to the givecredits and resetplayer commands)
Judging by the scope of these exploits, they don't seem too critical and could only do limited damage, like making logging queries fail or contain invalid data.
Mods could try to modify the number of credits a player had, but since they already had access to the givecredits and resetplayer commands in the first place, this has very little use, except potentially trying to evade mod logs.
nuclearsilo583
commented
1 year ago
This PR fixes some SQL injection exploits and changes some
\"%s\"to'%s'as it is both the safest way to enter values and a convention.Injection exploits were able to be done in:
Judging by the scope of these exploits, they don't seem too critical and could only do limited damage, like making logging queries fail or contain invalid data. Mods could try to modify the number of credits a player had, but since they already had access to the givecredits and resetplayer commands in the first place, this has very little use, except potentially trying to evade mod logs.
❌ Didn't try to compile yet ❌ Not tested in game