Mysql syntax error

I get a error with this SQL code:


"INSERT INTO banrequests (Poster ,On ,Reason ,SteamID) VALUES ('".. ply:Nick() .."','".. args[1] .."','".. args[2] .."','".. args[3] .."')"

the args and ply:Nick() exist i printed them in console.
What can the problem be?

Post the rest of the code please, also what is the error.

Solved it

Had nothing to do with the other code was a mysql syntax error

SQLStr those string values, for fuck’s sake D: If you deploy that code, everyone can and will exploit it.

Even I would probably try to exploit it.

[editline]10:07PM[/editline]

Well, what is the error?


") DELETE * FROM users

What a good name to have :smiley:

He said he fixed it, and how would you inject sql into the code?

Like that. Or like this:


a', 'b', 'c', 'd'); DROP TABLE users  --

Yea I know how it works but how could you do it being the query is on the server side called by hooks, only way I see is if you have a menu that lets clients like register or something.

He uses their name in the query. So all you do is escape the query and add bits in, using your name.

The only way to hack it is to change the name on the guy your reporting and your own name and still it wont work couse the SteamID needs to be changed to what you want witch isnt possible and if i add a hash it will be almost impossible to do it

if I do it my way, I could replace the DROP TABLE with a custom INSERT statement that does what I want. Try it.

Unless you escape the input to the query, we could do whatever you like to your database and you’ll be none the wiser.