mysql_real_escape_string... - Printable Version

mysql_real_escape_string... - Printable Version

+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Scripting and Plugins (https://sampforum.blast.hk/forumdisplay.php?fid=8)
+--- Forum: Scripting Help (https://sampforum.blast.hk/forumdisplay.php?fid=12)
+---- Forum: Help Archive (https://sampforum.blast.hk/forumdisplay.php?fid=89)
+---- Thread: mysql_real_escape_string... (/showthread.php?tid=119159)

mysql_real_escape_string... - Miguel - 06.01.2010

What does mysql_real_escape_string do? I just searched a bit but I didn't really understand what is it for. I use it like:

pawn Код:

mysql_real_escape_string(PlayerInfo[playerid][PlayerName], PlayerInfo[playerid][PlayerName]);

But I don't even know why :P... explain please? kthnx bye bye.

Re: mysql_real_escape_string... - bogeymanEST - 07.01.2010

The function searches for quotes (', ") in the provided string and removes them. Here's an example:
Let's say you use this MySql query to get someone's user stuff:

Код:

SELECT * FROM users WHERE name='John'

If someone fond out the query, he could easily drop the table by changing his name, so the query might become:

Код:

SELECT * FROM users WHERE name='John'; DROP TABLE users; SELECT * FROM data WHERE 't'='t'

So now his name is

Код:

John'; DROP TABLE users; SELECT * FROM data WHERE 't'='t

Which obviously is a problem, mysql_real_escape_string removes the quotes, which prevents these things from happening.
Read more on SQL injection

Re: mysql_real_escape_string... - Miguel - 08.01.2010

That's what I thought, cleaning the string...

Thanks!