Injection Risks?

SamSnorreson

Hey everyone, I'm working on a multiplayer game and because other people use it I'm super careful about security. I wonder if there is any Injection risk in the following code of a Server based on WebSocketServer. I think it should be fine, but I want to get sure.

func _on_data(con_id: int) -> void:
	var pkg = _server.get_peer(con_id).get_packet()
	var request: Dictionary = validate_and_parse_pkg(pkg)
	print("Got data from client %d: %s ... echoing" % [con_id, pkg.get_string_from_utf8()])
	if request != {}:
		emit_signal("recived_package", con_id, request)


func validate_and_parse_pkg(pkg: PoolByteArray) -> Dictionary:
	var json_string: String = pkg.get_string_from_utf8()
	var error: String = validate_json(json_string)
	if not error:
		print("valid json format")
		return parse_json(json_string)
	else:
		prints("invalid json format: ", error)
		return {}

cybereality

Well any time you accept data from a user there is a chance they are a hacker. No way to avoid that. You'll just have to make sure you sanitize that data before saving it to a database or doing any processing on the server. Just checking that it is valid JSON is not enough. For example, if the sever accepts a username from the player. The hacker could inject SQL commands into their username, and if the server didn't sanitize the input, the hacker could wipe your database, crash your server, etc.