<URL: http://bugs.freeciv.org/Ticket/Display.html?id=40018 >

> [EMAIL PROTECTED] - Tue Jan 15 02:16:57 2008]:
>  Auth enabled server had died because of nasty SQL.

There are as far as I know two ways that foreign SQL could
be injected when auth is enabled: via the user name and via
a new user password. For warclient what I have done (instead
of disallowing the ' character, which actually occurs frequently
in online names e.g. as in the English possessive) is to use
the mysql c api function mysql_real_escape_string to escape
any potentially harmful strings prior to using them to construct
queries (prepared statements would obviate the need for this,
but are generally more cumbersome to setup).

Freeciv-dev mailing list

Reply via email to