Solved Formatting SQLite queries and sanitizing data

Discussion in 'Rust Development' started by Kyrah Abattoir, Apr 28, 2016.

  1. Kyrah Abattoir

    Kyrah Abattoir

    Long story short, what is the proper, secure way to format sql queries for the sqlite extension to guard against sql injections?

    Also... what is wrong with this piece of code:
    It is loosely based on the example on the sqlite extension page, but it always returns a count of 0. I'm not sure what i've done wrong there.

    Code:
    bool existing = false;
_sqLite.Query(Core.Database.Sql.Builder.Append(string.Format($"SELECT COUNT (*) FROM `players` WHERE `steam_id` = '{0}';", steamId)), _key2name, list =>
{
    if (list == null) return;
    int count = (int)list[0]["COUNT (*)"];
});
    [DOUBLEPOST=1461845526][/DOUBLEPOST]I guess that part of my problem is that i did not realise that this was an anonymous delegate.

    I've never worked with those, could someone provide a brief example on how i could pass multiple variables to a delegate, on top of the query result?
    [DOUBLEPOST=1461848661][/DOUBLEPOST]This is my revised code but now i'm getting an invalid cast exception.

    Code:
    //Create/Update entries in the key2name database
        void SqlUpdateVisitorList(ulong steamId, string name)
        {
            _sqLite.Query(Core.Database.Sql.Builder.Append(string.Format($"SELECT COUNT (*) FROM `players` WHERE `steam_id` = '{0}';", steamId)), _key2name, data => SqlUpdateVisitorCallback(steamId, name, data));
        }
        void SqlUpdateVisitorCallback(ulong steamId, string name, List<Dictionary<string, object>> data)
        {
            if (data == null) return;
            int count = (int)data[0]["COUNT (*)"];
            Puts("COUNT=" + count);
            if (count > 0)
                _sqLite.Update(Core.Database.Sql.Builder.Append("UPDATE `players` SET `player_name` = @1 WHERE `steam_id` = @0;", steamId, name), _key2name);
            else
                _sqLite.Insert(Core.Database.Sql.Builder.Append("INSERT INTO `players` (steam_id,player_name) VALUES (@0, @1);", steamId, name), _key2name);
        }
    EDIT: Allright no more errors, but is there any recommendations to guard queries against SQL injections? I'm gonna need to accept text entry for the vote system and it has to query the database to check on offline players.

    I haven't seen any plugins that use a DB system actually sanitizing their inputs, which is a little spooky ...
     
    Last edited by a moderator: Apr 28, 2016
    Kyrah Abattoir, Apr 28, 2016
    #1
  2. sqroot

    sqroot

    People don't sanitize their queries because their plugins don't derive arguments from some sort of user input.
    I've written a guide on how to prevent SQL queries in Oxide here: Preventing SQL injections | Oxide
     
    sqroot, May 4, 2016
    #2
  3. Kyrah Abattoir

    Kyrah Abattoir

    Excellent, turns out that what you recommend is what I've been using all along!
     
    Kyrah Abattoir, May 4, 2016
    #3