[jasperschellekens]

Hello all,

I am learning SQL Lite and i have a few questions.

The first question is, do i have to free the result after a script or after each query?
Which one would be the right thing to do? option 1 or 2?:

option 1:

PHP код:

format(szQuery, sizeof(szQuery), "select * from `PINCODES` where `PlayerName` = '%s'", GetName(playerid));
        SPAWN_RESULT = db_query(PIN_DATABASE, szQuery);
        db_get_field_assoc(SPAWN_RESULT, "CurrentImput", SpawnConnectDBstr3, sizeof(SpawnConnectDBstr3));
        
        //code here
        format(szQuery2, sizeof(szQuery2), "update `PINCODES` set `CurrentImput` = `%s` where `playername` = '%s'", DB_Escape(Input), GetName(playerid));
        db_free_result(SPAWN_RESULT);
        db_free_result(db_query(PIN_DATABASE, szQuery2)); 


option 2:

PHP код:

format(szQuery, sizeof(szQuery), "select * from `PINCODES` where `PlayerName` = '%s'", GetName(playerid));
        SPAWN_RESULT = db_query(PIN_DATABASE, szQuery);
        db_get_field_assoc(SPAWN_RESULT, "CurrentImput", SpawnConnectDBstr3, sizeof(SpawnConnectDBstr3));
        db_free_result(SPAWN_RESULT);
        //code here
        format(szQuery2, sizeof(szQuery2), "update `PINCODES` set `CurrentImput` = `%s` where `playername` = '%s'", DB_Escape(Input), GetName(playerid));
        
        db_free_result(db_query(PIN_DATABASE, szQuery2)); 


My next question is about DB_Escape()... I am aware of the fact that this should prevent SQL injection? But how does a sql injection work? I know what they can do with it, but how do they do it? and how does DB_Escape prevent this?

Thanks in advance.

Edit:

I have another question, if i want to create a UCP, is there a way to put the .db file on my webserver?
with ../ perhaps? Or maybe by putting the samp server in the www folder? both servers are hosted on the same system. How could i do this? would it work with .../ or putting it in www folder?

[Sithis]

SQL injection is a way for an attacker to 'sneak' their own SQL statements into the statements you execute on your server. Take a look here: https://www.w3schools.com/sql/sql_injection.asp

[jasperschellekens]

Quote:

Originally Posted by Sithis SQL injection is a way for an attacker to 'sneak' their own SQL statements into the statements you execute on your server. Take a look here: https://www.w3schools.com/sql/sql_injection.asp

Thank you but what does DB_Escape do then? shouldnt i just block players from inserting = and OR etc..

[Sithis]

DB escaping is the process of removing any characters from user input that can be used to perform SQL injection.

Let's say you have a command /stats [playername]. It queries your player table with the following query and returns the result to the player sending the command:

SELECT * FROM `Player` WHERE `Name` = '%s'

What if a player types the following command?

/stats Jasper'; DROP TABLE BANS;

The generated SQL query would be:

SELECT * FROM `Player` WHERE `Name` = 'Jasper'; DROP TABLE BANS;'

Hey, that's convenient! I can now drop the bans table while looking up your stats. Cool! The extra ' doesn't matter a whole lot because the SQL statements before that can be executed correctly.

[jasperschellekens]

Anyone else who can answer my other questions?

[jasperschellekens]

Sorry, but i have to bump this as my questions are unanswered.

[Mugala]

I don't understand what do u want but it may be useful - https://sampwiki.blast.hk/wiki/Escaping_Strings_SQLite