Escape string - Printable Version
+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Scripting and Plugins (https://sampforum.blast.hk/forumdisplay.php?fid=8)
+--- Forum: Scripting Help (https://sampforum.blast.hk/forumdisplay.php?fid=12)
+--- Thread: Escape string (/showthread.php?tid=598317)
+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Scripting and Plugins (https://sampforum.blast.hk/forumdisplay.php?fid=8)
+--- Forum: Scripting Help (https://sampforum.blast.hk/forumdisplay.php?fid=12)
+--- Thread: Escape string (/showthread.php?tid=598317)
Escape string - Squirrel - 10.01.2016
Alright so Ive got a simple question, since I want to avoid any data injection, could I simply do things such as
PHP код:
mysql_format(mysql, query,sizeof(query),"UPDATE `players` SET `Username`='%e' WHERE `ID`=%d",NewName,AccInfo[playerid][ID]);
mysql_tquery(mysql, query);
Im trying to understand how it all works.
So basically is it enough if I use '%e' when formating or I have to still do something to avoid data injection?
Re: Escape string - ikey07 - 10.01.2016
I believe in this mysql version you are using %e is enough, although, you should use usual mysql string escape.
Re: Escape string - Squirrel - 10.01.2016
Quote:
|
Originally Posted by ikey07
 I believe in this mysql version you are using %e is enough, although, you should use usual mysql string escape.
|
Re: Escape string - itsCody - 10.01.2016
%e is escaping the string, should be good enough.
Re: Escape string - Squirrel - 10.01.2016
Thanks! Thats all I needed! ++rep
Re: Escape string - yvoms - 10.01.2016
%e is indeed an escape string,
Im using it in my code too.
Код:
mysql_format(mysql, query, sizeof(query), "SELECT * FROM `players` WHERE `Username` = '%e' LIMIT 1", Name[playerid]);