Replace the "%s" by "%e" for automatic escaping during formatting, that's all.
PHP код:
mysql_format(handle, string, sizeof(string), "UPDATE clans SET ClanTag = '%e' WHERE clans.ClanID = '%d'",inputtext,PlayerInfo[playerid][pClan]);
Doesn't your error-log display the full query as it's sent to mysql?
Maybe your string is too short and doesn't contain the full query.
Show the length of "string", as well as the query as it's sent to mysql, which should be inside the error-log file.
This page shows some guidelines to track down error 1064 in mysql:
http://www.inmotionhosting.com/suppo...ing/error-1064
But since your error-line already displays
PHP код:
syntax to use near 'JA'.')' at line 1
And this part isn't in your query, we can assume your players are entering text like
As clantag.
Because you didn't escape your inputted text, your players can really mess up your tables.
Just replacing the %s by %e can fix your errors already.
I hope they don't figure out that if they just do:
PHP код:
'; DROP TABLE clans; '
Your entire table, along with all it's data and complete data-structure is just gone.
Query:
PHP код:
UPDATE clans SET ClanTag = '%s' WHERE clans.ClanID = '%d'
Replace the "%s" by the inputted text above (the DROP TABLE line) and you get this query:
PHP код:
UPDATE clans SET ClanTag = ''; DROP TABLE clans; '' WHERE clans.ClanID = '%d'
The first part (before the first ; ) would just update the ClanTag for all clans in that table to an empty string: UPDATE clans SET ClanTag = '';
The ; ends the first query.
Then the second query "DROP TABLE clans" is executed.
The third part (after the second ; ) just fails because the query is incomplete (it's only a where clause without anything else).
You see what 1 player can do with your entire database?
He can just wipe it all, without any hacks on his end.
Anywhere you allow player-input to be saved into your table directly, use %e instead of %s to escape inputted text and be safe from mysql injections.
