How to escape string - Printable Version
+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Scripting and Plugins (https://sampforum.blast.hk/forumdisplay.php?fid=8)
+--- Forum: Scripting Help (https://sampforum.blast.hk/forumdisplay.php?fid=12)
+--- Thread: How to escape string (/showthread.php?tid=609757)
+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Scripting and Plugins (https://sampforum.blast.hk/forumdisplay.php?fid=8)
+--- Forum: Scripting Help (https://sampforum.blast.hk/forumdisplay.php?fid=12)
+--- Thread: How to escape string (/showthread.php?tid=609757)
How to escape string - Nin9r - 16.06.2016
How to escape a string corectly?
HTML Code:
mysql_real_escape_string(aString, aString);
format(szMessage, sizeof(szMessage), "INSERT INTO punsishes (text, playerID) VALUES ('%s', '%d')", aString,PlayerVar[playerid][pInternalID]);
mysql_tquery(handle,szMessage);
HTML Code:
format(szMessage, sizeof(szMessage), "INSERT INTO punsishes (text, playerID) VALUES ('%s', '%d')", aString,PlayerVar[playerid][pInternalID]);
mysql_real_escape_string(szMessage, szMessage);
mysql_tquery(handle,szMessage);
Re: How to escape string - Sime30 - 16.06.2016
No need for real_escape. Just use '%e' instead of '%s'
Re: How to escape string - Sjn - 16.06.2016
It looks like you are using mysql R33 and above. If so, you don't need to use that function, just use %e specifier for strings in the query format.
https://sampwiki.blast.hk/wiki/MySQL/R33...t_specifiers_2
Quote:
|
Format strings %e Escapes data directly without the need to call mysql_escape_string() before. |
Re: How to escape string - Nin9r - 16.06.2016
Can I use %e instead %d ? Or just instead %s?
And, which of those types is correctly?
Re: How to escape string - Sjn - 16.06.2016
No, you do not need to. Using %d or %i is just fine since they are integer specifiers. %e is a specifier for strings that escapes the data directly.
Re: How to escape string - Nin9r - 16.06.2016
So can I replace this:
HTML Code:
format(saveQuery, sizeof(saveQuery), "UPDATE playeraccounts SET playerPhoneBook = '%d', playerName = '%s' WHERE playerID = '%d'", PlayerVar[playerid][pPhoneBook],PlayerVar[playerid][pName], PlayerVar[playerid][pID]); mysql_tquery(handle,saveQuery);
HTML Code:
format(saveQuery, sizeof(saveQuery), "UPDATE playeraccounts SET playerPhoneBook = '%e', playerName = '%e' WHERE playerID = '%e'", PlayerVar[playerid][pPhoneBook],PlayerVar[playerid][pName], PlayerVar[playerid][pID]); mysql_tquery(handle,saveQuery);
Re: How to escape string - Sjn - 16.06.2016
As I wrote above, %e can be used for strings ONLY since it's a specifier that escapes the string directly. So you cannot use it for integer values, %d or %i are just fine for ints and they do not need to be escaped at all. Now, its up to you to separate them depending on what type of datas your table contains.
If you are using it for player name, it's fine. If you are using it for admin level, then it's wrong.
Re: How to escape string - Nin9r - 16.06.2016
Understand, thank you ! But, can you tell me which type of those escape methods is ok?
Re: How to escape string - Sjn - 16.06.2016
Well, it's not really needed if you are using the latter version of mysql plugin. But if you want to know, then the first method is correct. Because it first escapes the szString then you import it in the query. If you use second method then you are first sending the query then escaping the string which won't have any escaped string contained.
Keep in mind that %e specifier can only be used with mysql_format.
Re: How to escape string - Nin9r - 16.06.2016
In myql_tformat no? What's the difference between them?
Re: How to escape string - Stinged - 16.06.2016
It's only %e in mysql_format, not format.
If you want to use format, use %q instead.
https://sampwiki.blast.hk/wiki/Format
Re: How to escape string - Nin9r - 16.06.2016
Quote:
|
Originally Posted by Stinged
 It's only %e in mysql_format, not format.
If you want to use format, use %q instead. https://sampwiki.blast.hk/wiki/Format |
Re: How to escape string - Stinged - 16.06.2016
Quote:
|
Originally Posted by Nin9r
So can I replace this:
Code:
format(saveQuery, sizeof(saveQuery), "UPDATE playeraccounts SET playerPhoneBook = '%e', playerName = '%e' WHERE playerID = '%e'", PlayerVar[playerid][pPhoneBook],PlayerVar[playerid][pName], PlayerVar[playerid][pID]); mysql_tquery(handle,saveQuery); |