MySQL_Account( playerid , acc[ ] ) { new rows, fields, string[ 256 ] ; cache_get_data( rows , fields ); if( !rows ) { format( string , sizeof( string ) , "{FFFFFF}Welcome, {0537FF}%s {FFFFFF}!\n{FFFFFF}You need to register before playing !" , acc ); SPD( playerid , Register , PASS , "{FFFFFF}Register" , string , "Register" , "Kick" ); } else if( rows ) { format( string , sizeof( string ) , "{FFFFFF}Welcome back, {0537FF}%s {FFFFFF}!\n{FFFFFF}You need to login before playing." , acc ); SPD( playerid , Login, PASS, "{FFFFFF}Login" , string , "Login" , "Cancel" ); } return 1; }
MySQL_Load_Data( playerid , acc[ ] ) { new rows, fields, str[ 256 ] ; cache_get_data( rows , fields ); if( rows ) { cache_get_row( 0 , 0 , str ); P_DATA[ playerid ][ SQL_ID ] = strval( str ); cache_get_row( 0 , 3 , str ); P_DATA[ playerid ][ Admin ] = strval( str ); } else { P_DATA[ playerid ][ FailedLogins ] ++ ; format( str, sizeof( str ),"{FFFFFF}Hey, {0537FF}%s {FFFFFF}!\n{FFFFFF}You have entered the wrong passowrd !\n{FFFFFF}Please, retype your password below but careful because you have just {0537FF}%i {FFFFFF}chanches left !",GetName( playerid ) , 3 - P_DATA[ playerid ][ FailedLogins ] ); SPD( playerid, Login, PASS, "Login", str, "Login", "Exit"); if( P_DATA[ playerid ][ FailedLogins ] == 3 ) { format(str,sizeof( str ),"%s {FFFFFF}has been kicked ! [ Reason: {FF0000}Wrong Password {FFFFFF}]", GetName( playerid ) ); SendClientMessageToAll( C_B, str ); new Text[ 30 ]; format( Text, sizeof( Text ), "{FFFFFF}You have been kicked because you tiped wrong your password for 3 times !" ); SPD( playerid, PassKick, PASS, "{FF0000}KICKED !", Text, "Ok", "" ); Kick( playerid ); } }
new
pName[ MAX_PLAYER_NAME ],
pName1[ MAX_PLAYER_NAME ],
Query[ 256 ]
;
GetPlayerName( playerid , pName , sizeof( pName ));
mysql_real_escape_string( pName , pName1 );
format( Query , sizeof( Query ) , "SELECT Name FROM Users WHERE Name = '%s' LIMIT 0,1" , pName1 );
mysql_function_query( 1 , Query , true , "MySQL_Account" , "is" , playerid , pName1 );*
mysql_real_escape_string( name , name2 ); format( string, sizeof( string ) , "INSERT INTO `Users` (Name,Password,AdminLevel,VipLevel) VALUES('%s', '%s', '%d', '%d')" , name2 , password , 0, 0 ); mysql_function_query( 1 , string , false , "" , "" );
Don't use mysql_real_escape_string on player names, they can't be used for SQL Injection. mysql_real_escape_string must be used only when in a string can be ` or '.
Everything looks ok, it is inserting in the database ? If yes, look if ALL columns are right. |
Not true. ANY user input can be used for injection. Rule no. 1 for secure applications: never trust user input.
|