#EXCUSE ME

?

this is a 100% sql injection

hmm

wouldn't %q save it?

I don't recall what it escapes and what not

(note: I'm not advocating that this is good, this is probably still the worst implementation of prepared statements that I have ever seen, short of "none at all")

nope, there a 100% are edge cases, newlines are an example, %q guarantees that the output can safely be embedded in place of a LUA STRING, definitely not sql

i.e.
for "a\nb"
the output is "a
b"

I mean, sure, it gives wrong results

but would it be the cause for SQL injections

the newline thing would either embed a backslash and a newline or it would just be a syntax error

i am very sure in that tbh

eh, in any case, you shouldn't do this

unless you have i.e. a stacked query, where a newline does not yet mean "syntax error"

rare but

something ?
...
diff query ?

if you control both and can insert a newline in the first one, that might give some results

not sure though, could be interpret as a unclosed string, so then its
something "/
...
diff query "more user data"

more user data can also be a comment

so // to prevent further syntax errors

and inject any query you want

best course of action would be to just run sqlmap on it for extensive testing

easiest selftest out there i guess

But what if I do?

why should i care about it? you can escape args manually

then your server will be subject to an sql injection attack

except you also break manual escaping you dumbass

are you an idiot or something

do you really not understand the consequences of posting THIS here?

Wow. How did I not know about this?

for people to use

you literally supply them with a broken library

that will let anyone fuck up their server

and say

"ummm i dont care hehe"

what

About injection attacks in Garry's mod.

i domt know lol

Have I just been living under a rock?

it seems so

Yep.

how i break it?

istead of shitting in chat, you can PR

you do double escaping, moron

instead of releasing a vulnerable lib to thw public, maybe, make sure its fine first?

what do you mean?

i dont escape anything

%q

its quote

...

🤦‍♂️

read up on %q

its a formatter that ensures that a string will be safely escaped for LUA CODE

ah

okey

then i will just https://github.com/Be1zebub/Small-GLua-Things/commit/29f65cf6b043ffac6039b17c61d5d0ef8511741a

yes, that is a lot better, but still, you should rather be using builtin prepared statements and formatting for each database engine

aka mysql and sqlite can have different quirks on the syntax side

gmod doesnt have sqlite statements api

so cope

so this will work for sqlite, but might not for mysql/different db engines

kinda, yet mysqloo can have that for an example

ru glad?
instead of shitting a ton of text in chat, you would do this pr in 10 seconds

whats ur point when creating this library?
making a unified way for sql libraries to be used in lua or wut?

yeah.
the final goal is to make a library that can be integrated into any addon in a couple of minutes.
for example, I recently added mysqloo/tmysql support to gestures - it took about 3 minutes, i just add function INC_GESTURES:SetupDB(driver, credentials), include lua/gestures/db_config.lua with this function call & replace all sql.Query with INC_GESTURES.db:Query (also i wrapped all :Query's in coroutines)

https://github.com/Be1zebub/Small-GLua-Things/commit/b93d834ab518d9484c9cb6eb167c5b98ccad39f1

have fun