mysql_real_escape - Printable Version
+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Scripting and Plugins (https://sampforum.blast.hk/forumdisplay.php?fid=8)
+--- Forum: Scripting Help (https://sampforum.blast.hk/forumdisplay.php?fid=12)
+--- Thread: mysql_real_escape (/showthread.php?tid=309059)
+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Scripting and Plugins (https://sampforum.blast.hk/forumdisplay.php?fid=8)
+--- Forum: Scripting Help (https://sampforum.blast.hk/forumdisplay.php?fid=12)
+--- Thread: mysql_real_escape (/showthread.php?tid=309059)
mysql_real_escape - jaskiller - 06.01.2012
hi i want now when i must escape test exemple :
PHP код:
new query[128],name[25];
GetPlayerName(....);
format ( query, sizeof(query), "INSERT INTO players(name,pass) VALUES('%s','%s')"; name, inputtext)
mysql_query(query);
and another question.:
PHP код:
case DIALOG_LOGIN :
{
new query[128],pass[25];
format(query, sizeof(query), "SELECT pass FROM players WHERE name = '%s'", PlayerName(playerid));
mysql_query(query);
mysql_store_result();
}
Re: mysql_real_escape - Joe_ - 06.01.2012
When you use the string placeholder in your query, it's a good idea to use mysql_real_escape to stop injections, so if you have 3 string placeholders, I would make escape all 3 strings to be safe.
You can use mysql_fetch_field to retrieve the value of a field.
You must have selected the player's row and stored the result before you use it.
pawn Код:
format(query, sizeof(query), "SELECT * FROM players WHERE name = '%s'", EscapeString);
mysql_query(query);
mysql_store_result();
pawn Код:
if(mysql_num_rows()) // Check if it found the players row, because if you use mysql_fetch_field on an invalid field, it will crash the plugin.
{
new Password[32];
mysql_fetch_field_row(Password, "pass"); // Stores the value of the pass field, into the string Password.
}
Re: mysql_real_escape - Sinner - 06.01.2012
You use mysql_escape_string() whenever a user must INPUT something and mysql uses this input to run a query with. (So passwords, logins, name changes, ... anything where the user types something in and mysql is involved).
The point of mysql_escape_string() is that nobody can mess with your queries e.g. making them do something they shouldn't do (SQL injection with other words).
Re : mysql_real_escape - jaskiller - 06.01.2012
thx dude's so i dont need to espace the name of player because he don't input it
GetPlayerName(playerid....);
?
Re: mysql_real_escape - Joe_ - 06.01.2012
I would to be safe, but you don't need to.
There's always somebody trying to do something bad.