[Spmn]

Quote:

Originally Posted by Sanya4 1. Actually it's C-code, it means you cannot use %e(limited API): PHP код: char query[300]; snprintf(query, sizeof(query), "INSERT INTO `History` (`SomeName`) VALUES ('%s')", name);//name - got with GetPlayerName   mysql_tquery(mysql, query, "", 0);  2. I have asked there's a way to inject, not to prevent by any ways. 3. I haven't found any ways, so using mysql_real_escape_string is useless then for game names.

You're mixing SA-MP PAWN and C.
SA-MP format() introduces %q specifier which escapes strings using sqlite engine.
Also, there is mysql_format() where you can actually use %e as pointed before.

Escaping names may be useless now, but what if in a next SA-MP version there will be more allowed characters for nicknames? You'll have to look through entire gamemode and escape all nicks. So why not just escape them from the beginning?