[Banditukas]

Hi,

sscanf escape string? because now i use threaded queries and i have player variables

Код:

new VariableFP[ MAX_PLAYERS ][ MAX_PLAYER_NAME ];

Код:

if (sscanf(params, "s[25]", VariableFP[ playerid ] ))
{
return 1;
}

And i have query inside it, in callback i use VariableFP update by player name, but if player again write this command He can change VariableFP value to other and then when query complete and take value From VariableFP it will be not that and player could do sql injection.

[bgedition]

Sorry, this is wrong.

[Banditukas]

Read all mesage...

[bgedition]

Sorry, and this is wrong.

[Banditukas]

What da fuck you are saying i was talking about queries, and about sscanf escaping just giving examples.

[PowerPC603]

Even if sscanf won't escape text entered by a player, when you use the variable's contents in a query, escape it using the %e identifier instead of %s inside mysql_format.

Something like this:

pawn Код:

if (sscanf(params, "s[25]", VariableFP[ playerid ] ))
{
    mysql_format(SQL_db, Query, sizeof(Query), "UPDATE playerdata SET VarFP = '%e' WHERE ID = '%i'", VariableFP[playerid], ID);
    mysql_tquery(SQL_db, Query, "", "");
    return 1;
}

[Banditukas]

Thanks i need that. And %e i can use for every string?

[bgedition]

EDIT: Yes!