MySQL, real_escape_thing - Printable Version
+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Scripting and Plugins (https://sampforum.blast.hk/forumdisplay.php?fid=8)
+--- Forum: Scripting Help (https://sampforum.blast.hk/forumdisplay.php?fid=12)
+---- Forum: Help Archive (https://sampforum.blast.hk/forumdisplay.php?fid=89)
+---- Thread: MySQL, real_escape_thing (/showthread.php?tid=110710)
+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Scripting and Plugins (https://sampforum.blast.hk/forumdisplay.php?fid=8)
+--- Forum: Scripting Help (https://sampforum.blast.hk/forumdisplay.php?fid=12)
+---- Forum: Help Archive (https://sampforum.blast.hk/forumdisplay.php?fid=89)
+---- Thread: MySQL, real_escape_thing (/showthread.php?tid=110710)
MySQL, real_escape_thing - [WS]Hyper - 28.11.2009
I can't compile and I don't know how to solve this :S
pawn Код:
new query[128];
new sqprice,sqlocx[64],sqlocy[64],sqlocz[64],sqpickup[64];
8512 samp_mysql_real_escape_string(bizzvalue, sqprice);
8513 samp_mysql_real_escape_string(pos[0], sqlocx);
8514 samp_mysql_real_escape_string(pos[1], sqlocy);
8515 samp_mysql_real_escape_string(pos[2], sqlocz);
8516 samp_mysql_real_escape_string(pickup, sqpickup);
8517 format(query, sizeof(query), "INSERT INTO testdb (price, locX, locY, locZ, bpickup) VALUES ('%i', '%f', '%f', '%f', '%i')", sqprice,sqlocx,sqlocy,sqlocz,sqpickup);
8518 samp_mysql_query(query);
Код:
(8512) : error 035: argument type mismatch (argument 1) (8513) : warning 213: tag mismatch (8514) : warning 213: tag mismatch (8515) : warning 213: tag mismatch (8516) : error 035: argument type mismatch (argument 1)
Re: MySQL, real_escape_thing - Streetplaya - 28.11.2009
I guess your "pos" array is an array of floats, you don't need to escape floats, only strings.
Re: MySQL, real_escape_thing - [WS]Hyper - 28.11.2009
What doe samp_mysql_real_escape_string do actually?
Cause the first error is the 'bizzvalue' one, and it comes from: new bizzvalue = strval(tmp);
Why can't I just do
format(query, sizeof(query), "INSERT INTO bizzes (price, locX, locY, locZ, bpickup) VALUES ('%i', '%f', '%f', '%f', '%i')", bizzvalue,pos[0],pos[1],pos[2],pickup);
in stead of the escape thingies?
Re: MySQL, real_escape_thing - Streetplaya - 28.11.2009
It prevents other users from injecting code into your sql query
Re: MySQL, real_escape_thing - [WS]Hyper - 28.11.2009
I dont get it.. How are they supposed to do that? And what difference would it make if I use a normal string or the escape string? Either ways, it will both go into the database.. :S
Re: MySQL, real_escape_thing - Streetplaya - 28.11.2009
Wikipedia about SQL injection
Re: MySQL, real_escape_thing - [WS]Hyper - 28.11.2009
Oh ok, I understand half of that I think. Does it mean that players could for example type DROP table blablabla as 'value' and then that table would be deleted? And the escape thing is supposed to prevent players from typing that? If that's all it's not a big problem because only value has to be Numeric. But is there any other reason why I should use escape string? Can people 'inject' in another way?
Re: MySQL, real_escape_thing - Streetplaya - 28.11.2009
Afaik the biggest vulnerability is sql injection with strings and you only need to escape strings.
Re: MySQL, real_escape_thing - [WS]Hyper - 28.11.2009
Quote:
|
Originally Posted by MaVe - leeturl.de
Afaik the biggest vulnerability is sql injection with strings and you only need to escape strings.
|