Quote:Original post by nethackpro
Quote:Original post by Antheus
Receive into some char array 'buf', the assign to string using assign(buf, length).
So simple... I dont know why I didnt think of it. Thanks!
Let me warn you the dangers of doing that without sanitizing your input. If the user sends data in a unicode format or non-ascii characters, your game server can get really messed up or your server will forward that data to other players and their clients can get messed up. Be sure to check the contents of 'buf' for correct ASCII data before you assign to a std::string and use that data!
I've seen an exploit like this done in a F2P online MMORPG causing everyone's client to simply freeze while it spun in circles trying to handle the invalid data. Improperly using the 'ischaracter' type of functions can also result in debug runtime asserts if you are passing negative values to the function for the character to send (i.e. > 127), so you will need to make sure to test against ascii instead.
I.e. if your server has logic like this:
#include <stdlib.h>#include <string.h>#include <ctype.h>int main(int argc, char * argv[]){ char data[3]; data[0] = 'A'; data[1] = 0x80; data[2] = 0; bool bValid = true; for(int x = 0; x < strlen(data); ++x) { if(!isalnum(data[x])) { bValid = false; break; } } if(bValid) { // Handle string since it is valid } else { // Handle error } return 0;}
It will cause a debug runtime assert. If you were testing your server in debug mode with players in an alpha, you definitely don't want that happening. If you use isascii instead first to check the character and then test for valid combination of character types, you can avoid that problem.
#include <stdlib.h>#include <stdio.h>#include <string.h>#include <ctype.h>int main(int argc, char * argv[]){ char data[3]; data[0] = 'A'; data[1] = 0x80; data[2] = 0; bool bValid = true; for(int x = 0; x < strlen(data); ++x) { if(!isascii(data[x])) { bValid = false; break; } if(!isalnum(data[x])) { bValid = false; break; } } if(bValid) { // Handle string since it is valid } else { // Handle error } return 0;}
Not really the best code examples, but a few things to watch out for.