Why do we escape strings? - Printable Version

+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Scripting and Plugins (https://sampforum.blast.hk/forumdisplay.php?fid=8)
+--- Forum: Scripting Help (https://sampforum.blast.hk/forumdisplay.php?fid=12)
+--- Thread: Why do we escape strings? (/showthread.php?tid=599172)

---

Why do we escape strings? - SystemX - 22.01.2016

I've been working with MySQL for a while, I'm not getting one thing that why do we escape strings? What does it even mean?

---

Re: Why do we escape strings? - SickAttack - 22.01.2016

It's to prevent SQL injection.

Enter "DROP TABLE `accounts`" on a dialog that processes a query. Try it out (but take caution on what it does).

http://www.w3schools.com/sql/sql_injection.asp

First thing you'll notice beyond that link:

An SQL Injection can destroy your database.

I think that's pretty clear and explains why you should escape strings on queries.

By the way, use the specifier "%q" on the function "format" to escape a string. This would be replaced for the specifier "%s".

---

Re: Why do we escape strings? - SystemX - 22.01.2016

Oh thanks, You just explained it in a couple of line. cool. +rep

---

Re: Why do we escape strings? - Jack_SMalls - 22.01.2016

Never trust the client and never trust that their input is safe. Very important when working with SQL in any case.

---

Re: Why do we escape strings? - SystemX - 22.01.2016

Got it!

---