23.01.2016, 22:19
Replace the "%s" by "%e" for automatic escaping during formatting, that's all.
Doesn't your error-log display the full query as it's sent to mysql?
Maybe your string is too short and doesn't contain the full query.
Show the length of "string", as well as the query as it's sent to mysql, which should be inside the error-log file.
This page shows some guidelines to track down error 1064 in mysql:
http://www.inmotionhosting.com/suppo...ing/error-1064
But since your error-line already displays
And this part isn't in your query, we can assume your players are entering text like
As clantag.
Because you didn't escape your inputted text, your players can really mess up your tables.
Just replacing the %s by %e can fix your errors already.
I hope they don't figure out that if they just do:
Your entire table, along with all it's data and complete data-structure is just gone.
Query:
Replace the "%s" by the inputted text above (the DROP TABLE line) and you get this query:
The first part (before the first ; ) would just update the ClanTag for all clans in that table to an empty string: UPDATE clans SET ClanTag = '';
The ; ends the first query.
Then the second query "DROP TABLE clans" is executed.
The third part (after the second ; ) just fails because the query is incomplete (it's only a where clause without anything else).
You see what 1 player can do with your entire database?
He can just wipe it all, without any hacks on his end.
Anywhere you allow player-input to be saved into your table directly, use %e instead of %s to escape inputted text and be safe from mysql injections.
PHP код:
mysql_format(handle, string, sizeof(string), "UPDATE clans SET ClanTag = '%e' WHERE clans.ClanID = '%d'",inputtext,PlayerInfo[playerid][pClan]);
Maybe your string is too short and doesn't contain the full query.
Show the length of "string", as well as the query as it's sent to mysql, which should be inside the error-log file.
This page shows some guidelines to track down error 1064 in mysql:
http://www.inmotionhosting.com/suppo...ing/error-1064
But since your error-line already displays
PHP код:
syntax to use near 'JA'.')' at line 1
PHP код:
JA'.
Because you didn't escape your inputted text, your players can really mess up your tables.
Just replacing the %s by %e can fix your errors already.
I hope they don't figure out that if they just do:
PHP код:
'; DROP TABLE clans; '
Query:
PHP код:
UPDATE clans SET ClanTag = '%s' WHERE clans.ClanID = '%d'
PHP код:
UPDATE clans SET ClanTag = ''; DROP TABLE clans; '' WHERE clans.ClanID = '%d'
The ; ends the first query.
Then the second query "DROP TABLE clans" is executed.
The third part (after the second ; ) just fails because the query is incomplete (it's only a where clause without anything else).
You see what 1 player can do with your entire database?
He can just wipe it all, without any hacks on his end.
Anywhere you allow player-input to be saved into your table directly, use %e instead of %s to escape inputted text and be safe from mysql injections.