cyberpresidentvanellope/CHOMPStation2
1
0
Fork 0
mirror of https://github.com/CHOMPStation2/CHOMPStation2.git synced 2025-12-10 10:12:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

Implementing TGSQL security

Browse Source
This commit is contained in:
Cadyn
2021-01-27 10:51:12 -08:00
parent e3a5367009
commit 00bc513e6e
19 changed files with 228 additions and 118 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
code/modules/research/message_server.dm
View File

@@ -353,17 +353,19 @@ var/obj/machinery/blackbox_recorder/blackbox
query.Execute()
while(query.NextRow())
round_id = query.item[1]
qdel(query) //CHOMPEdit TGSQL
if(!isnum(round_id))
round_id = text2num(round_id)
round_id++
for(var/datum/feedback_variable/FV in feedback)
var/sql = "INSERT INTO erro_feedback VALUES (null, Now(), [round_id], \"[FV.get_variable()]\", [FV.get_value()], \"[FV.get_details()]\")"
var/DBQuery/query_insert = SSdbcore.NewQuery(sql) //CHOMPEdit TGSQL
var/list/sqlargs = list("t_roundid" = round_id, "t_variable" = "[FV.get_variable()]", "t_value" = "[FV.get_value()]", "t_details" = "[FV.get_details()]") //CHOMPEdit TGSQL
var/sql = "INSERT INTO erro_feedback VALUES (null, Now(), :t_roundid, :t_variable, :t_value, :t_details)" //CHOMPEdit TGSQL
var/DBQuery/query_insert = SSdbcore.NewQuery(sql, sqlargs) //CHOMPEdit TGSQL
query_insert.Execute()
qdel(query_insert) //CHOMPEdit TGSQL
// Sanitize inputs to avoid SQL injection attacks
// Sanitize inputs to avoid SQL injection attacks //CHOMPEdit NOTE: This is not secure. Basic filters like this are pretty easy to bypass. Use the format for arguments used in the above.
proc/sql_sanitize_text(var/text)
text = replacetext(text, "'", "''")
text = replacetext(text, ";", "")