Enabling multiple statements for mysql-async compatibility #102
Labels
documentation
Improvements or additions to documentation
Comments
thelindat
changed the title
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
How to enable multiple statements (aka easy SQL injection)
Seriously, why do people feel the need to do this?
You can enable multiple statements to be executed by adding
multipleStatements=trueto your connection string.This allow's SQL injection in resources that use string concatenation, such as esx_kashacter, rather than parameters, allowing clients to easily delete your entire database (see: https://forum.cfx.re/t/database-tables-are-deleted/4764756)
Enabling multi-statements allows resources to execute multiple queries in a single function, rather than splitting it into several; this is a common practice in encrypted resources that check for and create tables every time they start rather than providing users with an sql file to execute themselves (i.e. esx_job_creator).
It's also required when using vRP due to users love of multi-statements to call
SELECT LAST_INSERT_ID, despite it already being returned by bothqueryandinsertfunctions.The text was updated successfully, but these errors were encountered: