Simple query..but a error? - Printable Version

Simple query..but a error? - Printable Version

+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Scripting and Plugins (https://sampforum.blast.hk/forumdisplay.php?fid=8)
+--- Forum: Scripting Help (https://sampforum.blast.hk/forumdisplay.php?fid=12)
+---- Forum: Help Archive (https://sampforum.blast.hk/forumdisplay.php?fid=89)
+---- Thread: Simple query..but a error? (/showthread.php?tid=175754)

Simple query..but a error? - Toni - 11.09.2010

Hi there,
Out of no where, I have been getting MySQL errors lately.

I don't know why, but this query is so basic, I don't even see a error in it.

pawn Код:

if(dialogid == DGen)
    {
        if(response == 1)
        {
            
            if(!strcmp(inputtext, "Male", true) || !strcmp(inputtext, "Female", true))
            {
                format(str, sizeof(str), "UPDATE `playerinfo` SET `Gender` = '%s' WHERE `user` = '%s'", inputtext, pName(playerid));
                mysql_real_escape_string(inputtext, str);
                mysql_query(str);
                format(str, sizeof(str), "You're gender is %s", inputtext);
                SendClientMessage(playerid, YELLOW, str);
                ShowPlayerDialog(playerid, DAge, DIALOG_STYLE_INPUT, "RC:RP Age", "Please enter your age below", "Submit", "Cancel");
            }
            else
            {
                SendClientMessage(playerid, RED, "ERROR: Please only type Male or Female!");
                ShowPlayerDialog(playerid, DGen, DIALOG_STYLE_INPUT, "RC:RP Gender", "Please enter your gender below", "Submit", "Cancel");
            }
        }
        else
        {
            SendClientMessage(playerid, RED, "ERROR: You cannot cancel these steps!");
            ShowPlayerDialog(playerid, DGen, DIALOG_STYLE_INPUT, "RC:RP Gender", "Please enter your gender below", "Submit", "Cancel");
        }
    }

I'm not sure, and its not tested yet, but I am thinking it is the mysql_real_escape_string(inputtext, str); function.

I have been getting these errors after I add my business system, tbh, that wasn't the problem really.

pawn Код:

MySQL errors:

[Fri Sep 10 19:45:59 2010] Function: mysql_real_esacpe_string executed: "Male" with result: "Male".
[Fri Sep 10 19:45:59 2010] Function: mysql_query executed: "Male" with result: "1".
[Fri Sep 10 19:45:59 2010] Error (0): Failed to exeute query. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Male' at line 1.

EDIT:
yeah..it was mysql_real_escape_string.

But, after I commented it out, I'm worried about MySQL Injections, is there anyway to fix this?

Re: Simple query..but a error? - Toni - 11.09.2010

bump...still can't figure out how to fix the syntax errors with mysql_real_escape_string..

Re: Simple query..but a error? - Vince - 11.09.2010

You need to escape the inputtext before your format it. What you're doing now is:
mysql_query("Male");

pawn Код:

new tmpinput[12];
mysql_real_escape_string(inputtext, tmpinput);
format(str, sizeof(str), "UPDATE `playerinfo` SET `Gender` = '%s' WHERE `user` = '%s'", tmpinput, pName(playerid));
mysql_query(str);