Escaping ' and " - Printable Version
+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Scripting and Plugins (https://sampforum.blast.hk/forumdisplay.php?fid=8)
+--- Forum: Scripting Help (https://sampforum.blast.hk/forumdisplay.php?fid=12)
+--- Thread: Escaping ' and " (/showthread.php?tid=600964)
+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Scripting and Plugins (https://sampforum.blast.hk/forumdisplay.php?fid=8)
+--- Forum: Scripting Help (https://sampforum.blast.hk/forumdisplay.php?fid=12)
+--- Thread: Escaping ' and " (/showthread.php?tid=600964)
Escaping ' and " - CSCripMa - 15.02.2016
Hi,
Do i need not let people write ' and " ? is that escaping already or it's not harm, i mean talking about syntax's errors.
Re: Escaping ' and " - SickAttack - 15.02.2016
On the chat? Well, no. Nothing happens if they use those characters.
In a script use, ' and \".
' = '
\" = "
Re: Escaping ' and " - CSCripMa - 15.02.2016
I'am talking about mysql queries:
update table set text='%s'
%s is text from variable, it contains saying that:
knlb'gas";qweasd
Then query look:
update table set text='knlb'gas";qweasd'
Structure looks that query will end at update table set text='knlb' i'am right or no? do i get syntax error?
Re: Escaping ' and " - zPain - 15.02.2016
Double the single quotes in order to escape them.
PHP код:
UPDATE table SET field='Tes''t'
Re: Escaping ' and " - CSCripMa - 15.02.2016
Escaping doing it already, or i need to it myself? because it will be text from variable.
Re: Escaping ' and " - Jefff - 15.02.2016
Yes you should escape every player text WHERE text = '%q' or in mysql_format %e
Re: Escaping ' and " - Abagail - 15.02.2016
Escaping doesn't have anything to do with syntax errors. The point of escaping is to rid a query of potentially exploiting and navigating away from the desired query(example: putting an arbitrary value that isn't desired by the server, but will help you).
The MySQL plugin(the one by BlueG, currently maintained by maddinat0r) provides a mysql_format function with %e, which escapes the string during formatting(the function has the same syntax/usage as the format function).
The plugin also provides a native mysql_escape_string function to escape a string,
pawn Код:
native mysql_escape_string(const source[], destination[], connectionHandle = 1, max_len = sizeof(destination))