Quote:
Originally Posted by Aldo.
Query was incorrect
pawn Код:
format(query2, 256, "SELECT * FROM users WHERE username='%s'", playername2);
mysql_real_escape_string(query2); // Prevents SQL injection
|
I think you'll find that escaping the entire query is not a form of prevention against SQL injection, but is actually a form of breaking the query, you're not supposed to escape the query, you're supposed to escape values that are being inserted into the query string that are controlled by the player. For example:
pawn Код:
mysql_real_escape_string(playername2,playername2);
format(query2, sizeof(query2), "SELECT * FROM `users` WHERE Username = '%s'", playername2);
This will escape the players name, so any characters that may be used in the name to inject their own code will be escaped, for example, if the players name was
it will now become
so the character is escaped, not allowing the person to inject code.
With that said, it's not even possible to inject code using a name, because you can't even play SA-MP with those characters in your nickname.
