05.06.2015, 06:35
You should escape every string that has been entered by a player.
Strings that are generated inside your script (like a line of text that could act as a log-entry for record-keeping) normally don't need to be escaped, unless they contain data inputted by a player (like chat).
Example:
Your script could generate a line of text like this: "Player %s has earned $%i", which needs to be added into a log-table.
This line needs to be escaped as it contains a player-name (player-names are inputted by the player himself).
Players could change their name into "DROP TABLE accounts;" and your script would happily delete your table.
Example 2:
Your script could generate a line of text like this: "Total players online: %i".
This text doesn't need to be escaped as there is no user input in that line.
Players can't do anything with this text to corrupt your tables in any way.
Integers and floats never need to be escaped.
Strings that are generated inside your script (like a line of text that could act as a log-entry for record-keeping) normally don't need to be escaped, unless they contain data inputted by a player (like chat).
Example:
Your script could generate a line of text like this: "Player %s has earned $%i", which needs to be added into a log-table.
This line needs to be escaped as it contains a player-name (player-names are inputted by the player himself).
Players could change their name into "DROP TABLE accounts;" and your script would happily delete your table.
Example 2:
Your script could generate a line of text like this: "Total players online: %i".
This text doesn't need to be escaped as there is no user input in that line.
Players can't do anything with this text to corrupt your tables in any way.
Integers and floats never need to be escaped.