sscanf - Printable Version

sscanf - Printable Version

+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Scripting and Plugins (https://sampforum.blast.hk/forumdisplay.php?fid=8)
+--- Forum: Scripting Help (https://sampforum.blast.hk/forumdisplay.php?fid=12)
+--- Thread: sscanf (/showthread.php?tid=556445)

sscanf - Banditukas - 10.01.2015

Hi,

sscanf escape string? because now i use threaded queries and i have player variables

Код:

new VariableFP[ MAX_PLAYERS ][ MAX_PLAYER_NAME ];

Код:

if (sscanf(params, "s[25]", VariableFP[ playerid ] ))
{
return 1;
}

And i have query inside it, in callback i use VariableFP update by player name, but if player again write this command He can change VariableFP value to other and then when query complete and take value From VariableFP it will be not that and player could do sql injection.

Re: sscanf - bgedition - 10.01.2015

Sorry, this is wrong.

Re: sscanf - Banditukas - 10.01.2015

Read all mesage...

Re: sscanf - bgedition - 10.01.2015

Sorry, and this is wrong.

Re: sscanf - Banditukas - 10.01.2015

What da fuck you are saying i was talking about queries, and about sscanf escaping just giving examples.

Re: sscanf - PowerPC603 - 10.01.2015

Even if sscanf won't escape text entered by a player, when you use the variable's contents in a query, escape it using the %e identifier instead of %s inside mysql_format.

Something like this:

pawn Код:

if (sscanf(params, "s[25]", VariableFP[ playerid ] ))
{
    mysql_format(SQL_db, Query, sizeof(Query), "UPDATE playerdata SET VarFP = '%e' WHERE ID = '%i'", VariableFP[playerid], ID);
    mysql_tquery(SQL_db, Query, "", "");
    return 1;
}

Re: sscanf - Banditukas - 10.01.2015

Thanks i need that. And %e i can use for every string?

Re: sscanf - bgedition - 10.01.2015

EDIT: Yes!