Enforcement of new Poggit rule against SQL injection

[SOF3]

Dear plugin developer,

We have updated the Poggit plugin rules, and your plugin InventorySynchronizer appears to be affected.

The new rule is as follows:

B8: SQL parameters must be escaped

Data must NEVER be interpolated into SQL strings using interpolation, unless they are explicitly escaped using the mysqli::escape_string/SQLite3::escapeString function. No exceptions even if you are sure they are integers, player names or validated otherwise. Using libasynql or using bind_param()/bindValue() would be even better.

We detected the following line of code (and probably others) from your plugin that seems to breach the rule:

$db->query("INSERT INTO inventories(name, inventory, armor) VALUES ('$name', '$inv64', '$armor64')");

You are required to update the code to conform to the rules in 14 days. Otherwise, your plugin may be removed from Poggit and a security advisory will be issued to recommend users to remove your plugin.

A simple fix is to use SQLite3::escapeString or mysqli::real_escape_string to escape your data, but we recommend that you use SQLite3::prepare() and bindValue or mysqli::prepare() and bind_param instead. Even better, we recommend that you migrate to libasynql, although this is not a strict requirement. (But async database access may become a strict requirement in the future).

Shall you have any enquiries, please post your question on the #poggit channel on the PMMP Community Discord.

Best regards,
SOFe
Poggit Team