09.07.2013, 12:31
You should. I will give you an example of what SQL Injection is.
Let's say your mode has a dialog (input) and someone insert a "name" to check something for a user. He can input:
And it will just delete your table "users". DB_Escape is used for this reason. To prevent someone from doing something bad to your database. You can also read more about DB_Escape/SQL Injection to the wiki (https://sampwiki.blast.hk/wiki/Escaping_Strings_SQLite) or wikipedia (http://en.wikipedia.org/wiki/SQL_injection)
You just need to check any string you insert in a query with:
Glad to hear that you use SQLite, it's great and I can confirm it because I know that a very popular server in the past used SQLite and had over 500,000 registered users and everything worked fine!
Thanks for your kind words.
Let's say your mode has a dialog (input) and someone insert a "name" to check something for a user. He can input:
pawn Code:
"Zeus';DROP TABLE users;"
You just need to check any string you insert in a query with:
pawn Code:
// An example:
"SELECT username FROM users WHERE ip = '%s'", DB_Escape( ip ) // etc..
Thanks for your kind words.