1. SA-MP Forums Archive
  2. SA-MP Scripting and Plugins
  3. Scripting Help
  4. Help Archive

Threaded Mode
MySQL, real_escape_thing
[WS]Hyper
Huge Clucker
****
Posts: 314
Threads: 10
Joined: Sep 2008
Reputation: 0
#1

28.11.2009, 09:26
I can't compile and I don't know how to solve this :S

pawn Код:
new query[128];
        new sqprice,sqlocx[64],sqlocy[64],sqlocz[64],sqpickup[64];
8512        samp_mysql_real_escape_string(bizzvalue, sqprice);
8513        samp_mysql_real_escape_string(pos[0], sqlocx);
8514        samp_mysql_real_escape_string(pos[1], sqlocy);
8515        samp_mysql_real_escape_string(pos[2], sqlocz);
8516        samp_mysql_real_escape_string(pickup, sqpickup);
8517        format(query, sizeof(query), "INSERT INTO testdb (price, locX, locY, locZ, bpickup) VALUES ('%i', '%f', '%f', '%f', '%i')", sqprice,sqlocx,sqlocy,sqlocz,sqpickup);
8518        samp_mysql_query(query);
It will give errors:
Код:
(8512) : error 035: argument type mismatch (argument 1)
(8513) : warning 213: tag mismatch
(8514) : warning 213: tag mismatch
(8515) : warning 213: tag mismatch
(8516) : error 035: argument type mismatch (argument 1)
How fix this?
Find
Reply
Streetplaya
Gangsta
****
Posts: 603
Threads: 19
Joined: Nov 2007
Reputation: 0
#2

28.11.2009, 09:36
I guess your "pos" array is an array of floats, you don't need to escape floats, only strings.
Find
Reply
[WS]Hyper
Huge Clucker
****
Posts: 314
Threads: 10
Joined: Sep 2008
Reputation: 0
#3

28.11.2009, 09:40
What doe samp_mysql_real_escape_string do actually?
Cause the first error is the 'bizzvalue' one, and it comes from: new bizzvalue = strval(tmp);
Why can't I just do

format(query, sizeof(query), "INSERT INTO bizzes (price, locX, locY, locZ, bpickup) VALUES ('%i', '%f', '%f', '%f', '%i')", bizzvalue,pos[0],pos[1],pos[2],pickup);

in stead of the escape thingies?
Find
Reply
Streetplaya
Gangsta
****
Posts: 603
Threads: 19
Joined: Nov 2007
Reputation: 0
#4

28.11.2009, 09:41
It prevents other users from injecting code into your sql query
Find
Reply
[WS]Hyper
Huge Clucker
****
Posts: 314
Threads: 10
Joined: Sep 2008
Reputation: 0
#5

28.11.2009, 09:43
I dont get it.. How are they supposed to do that? And what difference would it make if I use a normal string or the escape string? Either ways, it will both go into the database.. :S
Find
Reply
Streetplaya
Gangsta
****
Posts: 603
Threads: 19
Joined: Nov 2007
Reputation: 0
#6

28.11.2009, 09:50
Wikipedia about SQL injection
Find
Reply
[WS]Hyper
Huge Clucker
****
Posts: 314
Threads: 10
Joined: Sep 2008
Reputation: 0
#7

28.11.2009, 10:02
Oh ok, I understand half of that I think. Does it mean that players could for example type DROP table blablabla as 'value' and then that table would be deleted? And the escape thing is supposed to prevent players from typing that? If that's all it's not a big problem because only value has to be Numeric. But is there any other reason why I should use escape string? Can people 'inject' in another way?
Find
Reply
Streetplaya
Gangsta
****
Posts: 603
Threads: 19
Joined: Nov 2007
Reputation: 0
#8

28.11.2009, 10:05
Afaik the biggest vulnerability is sql injection with strings and you only need to escape strings.
Find
Reply
[WS]Hyper
Huge Clucker
****
Posts: 314
Threads: 10
Joined: Sep 2008
Reputation: 0
#9

28.11.2009, 10:16
Quote:
Originally Posted by MaVe - leeturl.de
Afaik the biggest vulnerability is sql injection with strings and you only need to escape strings.
So how would I do this sql injection if I were a hacker?
Find
Reply
« Next Oldest | Next Newest »


Forum Jump:


Users browsing this thread: 1 Guest(s)
  1. SA-MP Forums Archive
  2. SA-MP Scripting and Plugins
  3. Scripting Help
  4. Help Archive