When do I need to escape strings in mysql?
#1

So I might move to mysql for my server. When do I need to escape the string? Only on logging in, password I mean or everywhere? Considering the rest of the data would be stored in enums and saved (read) from enums.
Reply
#2

When are inserted some values which can be written by players. (not player names) In things which can contain ' and ` characters.
Reply
#3

you should escape any string, that user (player in your server) may enter, to prevent sql injection.
Reply
#4

So wherever I have a command that requires something to enter, that connects to the database (reads/or will insert into it)? Although, if I make a /setlevel cmd do I need to escape string, if I make it a condition that it must be an umber from 0 to 5 (isnumeric) and not any other character?
Reply
#5

Any time a user can enter their own text where that text is then stored in the database. Passwords should be hashed and salted- so escaping them isn't needed. You don't need to escape usernames either, since SA:MP limits specific characters from being used in a username (AFAIK- you might want to double check this).

So, if you are logging anything a player says on the server using OnPlayerText(), you need to be escaping the "text" string before inserting it into the database.

Search before posting next time.
Reply
#6

Quote:
Originally Posted by RealCop228
Посмотреть сообщение
Any time a user can enter their own text where that text is then stored in the database. Passwords should be hashed and salted- so escaping them isn't needed. You don't need to escape usernames either, since SA:MP limits specific characters from being used in a username (AFAIK- you might want to double check this).

So, if you are logging anything a player says on the server using OnPlayerText(), you need to be escaping the "text" string before inserting it into the database.

Search before posting next time.
You people gotta stop saying search before posting every time. I did, the exact answer wasn't there. Besides, someone should do a PDO plugin for samp
Reply
#7

Quote:
Originally Posted by 101
Посмотреть сообщение
You people gotta stop saying search before posting every time. I did, the exact answer wasn't there.
Actually, no we don't. The problem is that people like yourself who don't search properly, or don't spend the time to read through search results- thus leading to more spam topics on the same subject over and over and over again.

It's really annoying! You have been registered here for two years, but you can't even do such a simple task. It's just utter laziness on your part.
Reply
#8

Quote:
Originally Posted by RealCop228
Посмотреть сообщение
Actually, no we don't. The problem is that people like yourself who don't search properly, or don't spend the time to read through search results- thus leading to more spam topics on the same subject over and over and over again.

It's really annoying! You have been registered here for two years, but you can't even do such a simple task. It's just utter laziness on your part.
Be my guest search for it and tell me how long it took.

Finally, you chose to view my thread, you chose to reply. No one made you.
Reply
#9

When searching you won't always get an exact answer. However, with a little reading, you can find answers that are virtually the same thing. Quit being so lazy- spend more than a minute to search for something if you have to.

http://stackoverflow.com/questions/1...scape-a-string
Reply
#10

I was only searching on the forum, not ******-wide. I wasn't sure if the same rules matter.
Reply


Forum Jump:


Users browsing this thread: 3 Guest(s)