For example, let's say i have a function in a serverside extentsion that logs moves from a game to a MySQL database. So everytime a player makes a move this code gets run (Actionscript)
Code: Select all
dbase.executeCommand("UPDATE table SET log = CONCAT(log, '"+params.log+"') WHERE match_id = '"+params.match_id+"';");
That will work fine, however if a user were to modify the parameters being sent to SFS then they would be able to perform an SQL Injection.
What would solve this is the equivalent of mysql_real_escape_string() in PHP.
Any ideas?