08:39 <@heinrich5991> needs1: you could check the ddnet source code
13:27 < needs1> heinrich5991: That was a good idea
13:28 < needs1> They use MySQL and use query variables to compute rank
13:28 < needs1> https://github.com/ddnet/ddnet/blob/master/src/game/server/score/sql_score.cpp#L723
13:33 < needs1> Hummm, it may be possible to do SQL injection using a single quote
13:42 < EastByte> needs1: the sql statements are escaped somehow
14:11 < needs1> EastByte: Ah yes, my bad : 
14:11 < needs1> https://github.com/ddnet/ddnet/blob/master/src/engine/server/sql_string_helpers.cpp#L29
14:15 <@minus> that looks scary
14:39 < needs1> I think they should rather use the binding API, wich not only solve any potential SQL injection, but also is way faster and allow reusing SQL prepared queries on different data
14:39 < needs1> Well, of course, easier to say than done ;)
14:40 < needs1> *said than doneeasier to say than done
14:40 < needs1> *sorry, wrong focus
14:55 <+necropotame> There is a problem with this anti injection function ?
15:24 <@minus> nothing in particular, but in general escaping isn't a great solution; prepared statements, like needs1 said, are the proper solution