mysql_format player name - Printable Version

+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Scripting and Plugins (https://sampforum.blast.hk/forumdisplay.php?fid=8)
+--- Forum: Scripting Help (https://sampforum.blast.hk/forumdisplay.php?fid=12)
+--- Thread: mysql_format player name (/showthread.php?tid=601453)

---

mysql_format player name - Aa12 - 21.02.2016

what I get printed

UPDATE `accounts` SET `Veh`=1 WHERE `Name` = ''
myname

as you probably already understood, problem is that I can't format player name with mysql_format

---

Re: mysql_format player name - Aa12 - 21.02.2016

my PlayerNameGet function btw

stock PlayerNameGet(playerid)
{
new pName[MAX_PLAYER_NAME];
GetPlayerName(playerid, pName, MAX_PLAYER_NAME);
return pName;
}

---

Re: mysql_format player name - LocMax - 21.02.2016

Where do you format that query?

---

Re: mysql_format player name - Chump - 21.02.2016

Why is the player's name being escaped? It's completely unnecessary.

Change '%e' to '%s', and increase the size of 'query'. It seems that there isn't enough space in the query to insert the player's name. This should help.

---

Re: mysql_format player name - AmigaBlizzard - 21.02.2016

That's not true, you need to escape EVERYTHING inputted by players: playernames, company-names, housenames, vehiclenames, anything they can enter that would eventually be saved into your database.
Basic idea behind it: NEVER trust any player.
Samp is already flooded by hackers and cheaters, so don't give advice about not escaping playernames, you'll regret it someday.

Players could choose to enter "; DROP TABLE accounts;" as their name, it would wipe your database upon logging in.
It's not a regular name you would see everyday, but it does the trick in messing up your server.

If they know you never escape playernames, sooner or later someone will mess up your server using mysql injections like this.

But you are right by suggesting to increase the size of the query variable.
Since it's not shown in the code, we can only guess the variable is too small.



Some good advice:
When you register a new player account, you should have a column that identifies every player with a unique ID.
That column can be called "UserID" and should have "Primary key" and auto-increment in the settings.

Only when connecting, you should find the player's name in the database and load his UserID.
During every action later on in the database, you should use the UserID as it's only an integer.
Mysql works alot faster when searching for integer values instead of entire strings like playernames.

It increases your overal mysql performance.
For a small server, you won't notice a difference, but when your script grows large, taking off some percentages off your cpu can make a difference in terms of lag.

---

Re: mysql_format player name - Chump - 21.02.2016

Good point, but SA-MP doesn't allow spaces, semi-colons, or singular quotes in player names, making it impossible for SQL injection to happen from that alone. Only alphanumerical characters and certain symbols ([ ], ( ), =, @, _, etc.) are allowed. Everything else inputted by players should be escaped though.

---

Re: mysql_format player name - Aa12 - 24.02.2016

When I use %s instead of '%e' it prints player name right but It doesn't save info.
query size is [200]. I think that's enough


what I get printed when I connect

I have connected with account that is already saved in database

Also the thing about escaping. I don't really know what it is but if using '%e' does "escape" thing I guess I'm good right? (Well at least until I learn how to make this code work)

---

Re: mysql_format player name - Aa12 - 24.02.2016

Problem solved in a strange way : I just copied my whole gamemode code, created new pawn document, pasted my code there, compiled and ran that gamemode - everything worked fine.

---