[MerryDeer]

Hi,

I need to escape name when player connect? or sa-mp automatic don't allow symbols that could make sql injection?

[BiosMarcel]

Just try it out ...

[TwinkiDaBoss]

Quote:

%e

escapes the string if you are using threaded queries

SA:MP doesnt escape strings anywhere since its not built specially for SQL. Same as most programming/scripting languages.

There are many types of SQL injections therefore forbing characters straight on by SA:MP would be somewhat impossible.


Example:

Quote:

SELECT fieldlist FROM table WHERE field = 'x' AND email IS NULL; --

tldr mysql_real_escape_string, '%e' and even more. Escape the string manually and there you go.


Also, as far as I know most of the special characters that you would use to do a injection attack are impossible to be added as a default name in SA:MP but there are advanced SQL injection attacks that can easily slip between those. Always escape your querries.