[Squirrel]

Alright so Ive got a simple question, since I want to avoid any data injection, could I simply do things such as

PHP код:

mysql_format(mysql, query,sizeof(query),"UPDATE `players` SET `Username`='%e' WHERE `ID`=%d",NewName,AccInfo[playerid][ID]);
    mysql_tquery(mysql, query); 


Or Id have to escape the string other way?

Im trying to understand how it all works.

So basically is it enough if I use '%e' when formating or I have to still do something to avoid data injection?

[ikey07]

I believe in this mysql version you are using %e is enough, although, you should use usual mysql string escape.

[Squirrel]

Quote:

Originally Posted by ikey07 I believe in this mysql version you are using %e is enough, although, you should use usual mysql string escape.

Yes but how do I use it? Im not that good with this to be honest

[itsCody]

%e is escaping the string, should be good enough.

[Squirrel]

Thanks! Thats all I needed! ++rep

[yvoms]

%e is indeed an escape string,
Im using it in my code too.

Код:

mysql_format(mysql, query, sizeof(query), "SELECT * FROM `players` WHERE `Username` = '%e' LIMIT 1", Name[playerid]);