Question about SQL Lite - Printable Version
+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Scripting and Plugins (https://sampforum.blast.hk/forumdisplay.php?fid=8)
+--- Forum: Scripting Help (https://sampforum.blast.hk/forumdisplay.php?fid=12)
+--- Thread: Question about SQL Lite (/showthread.php?tid=649799)
+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Scripting and Plugins (https://sampforum.blast.hk/forumdisplay.php?fid=8)
+--- Forum: Scripting Help (https://sampforum.blast.hk/forumdisplay.php?fid=12)
+--- Thread: Question about SQL Lite (/showthread.php?tid=649799)
Question about SQL Lite - jasperschellekens - 15.02.2018
Hello all,
I am learning SQL Lite and i have a few questions.
The first question is, do i have to free the result after a script or after each query?
Which one would be the right thing to do? option 1 or 2?:
option 1:
PHP код:
format(szQuery, sizeof(szQuery), "select * from `PINCODES` where `PlayerName` = '%s'", GetName(playerid));
SPAWN_RESULT = db_query(PIN_DATABASE, szQuery);
db_get_field_assoc(SPAWN_RESULT, "CurrentImput", SpawnConnectDBstr3, sizeof(SpawnConnectDBstr3));
//code here
format(szQuery2, sizeof(szQuery2), "update `PINCODES` set `CurrentImput` = `%s` where `playername` = '%s'", DB_Escape(Input), GetName(playerid));
db_free_result(SPAWN_RESULT);
db_free_result(db_query(PIN_DATABASE, szQuery2));
PHP код:
format(szQuery, sizeof(szQuery), "select * from `PINCODES` where `PlayerName` = '%s'", GetName(playerid));
SPAWN_RESULT = db_query(PIN_DATABASE, szQuery);
db_get_field_assoc(SPAWN_RESULT, "CurrentImput", SpawnConnectDBstr3, sizeof(SpawnConnectDBstr3));
db_free_result(SPAWN_RESULT);
//code here
format(szQuery2, sizeof(szQuery2), "update `PINCODES` set `CurrentImput` = `%s` where `playername` = '%s'", DB_Escape(Input), GetName(playerid));
db_free_result(db_query(PIN_DATABASE, szQuery2));
Thanks in advance.
Edit:
I have another question, if i want to create a UCP, is there a way to put the .db file on my webserver?
with ../ perhaps? Or maybe by putting the samp server in the www folder? both servers are hosted on the same system. How could i do this? would it work with .../ or putting it in www folder?
Re: Question about SQL Lite - Sithis - 15.02.2018
SQL injection is a way for an attacker to 'sneak' their own SQL statements into the statements you execute on your server. Take a look here: https://www.w3schools.com/sql/sql_injection.asp
Re: Question about SQL Lite - jasperschellekens - 15.02.2018
Quote:
|
Originally Posted by Sithis
 SQL injection is a way for an attacker to 'sneak' their own SQL statements into the statements you execute on your server. Take a look here: https://www.w3schools.com/sql/sql_injection.asp
|
Re: Question about SQL Lite - Sithis - 15.02.2018
DB escaping is the process of removing any characters from user input that can be used to perform SQL injection.
Let's say you have a command /stats [playername]. It queries your player table with the following query and returns the result to the player sending the command:
SELECT * FROM `Player` WHERE `Name` = '%s'
What if a player types the following command?
/stats Jasper'; DROP TABLE BANS;
The generated SQL query would be:
SELECT * FROM `Player` WHERE `Name` = 'Jasper'; DROP TABLE BANS;'
Hey, that's convenient! I can now drop the bans table while looking up your stats. Cool! The extra ' doesn't matter a whole lot because the SQL statements before that can be executed correctly.
Re: Question about SQL Lite - jasperschellekens - 16.02.2018
Anyone else who can answer my other questions?
Re: Question about SQL Lite - jasperschellekens - 17.02.2018
Sorry, but i have to bump this as my questions are unanswered.
Re: Question about SQL Lite - Mugala - 17.02.2018
I don't understand what do u want but it may be useful - https://sampwiki.blast.hk/wiki/Escaping_Strings_SQLite